421 lines
16 KiB
Plaintext
421 lines
16 KiB
Plaintext
#cloud-config
|
|
# Update apt database on first boot
|
|
# (ie run apt-get update)
|
|
#
|
|
# Default: true
|
|
package_update: false
|
|
|
|
# Upgrade the instance on first boot
|
|
#
|
|
# Default: false
|
|
package_upgrade: true
|
|
|
|
# Reboot after package install/update if necessary
|
|
# Default: false
|
|
package_reboot_if_required: true
|
|
|
|
# For 'apt' specific config, see cloud-config-apt.txt
|
|
packages:
|
|
- pwgen
|
|
- pastebinit
|
|
|
|
# set up mount points
|
|
# 'mounts' contains a list of lists
|
|
# the inner list are entries for an /etc/fstab line
|
|
# ie : [ fs_spec, fs_file, fs_vfstype, fs_mntops, fs_freq, fs_passno ]
|
|
#
|
|
# default:
|
|
# mounts:
|
|
# - [ ephemeral0, /mnt ]
|
|
# - [ swap, none, swap, sw, 0, 0 ]
|
|
#
|
|
# in order to remove a previously listed mount (ie, one from defaults)
|
|
# list only the fs_spec. For example, to override the default, of
|
|
# mounting swap:
|
|
# - [ swap ]
|
|
# or
|
|
# - [ swap, null ]
|
|
#
|
|
# - if a device does not exist at the time, an entry will still be
|
|
# written to /etc/fstab.
|
|
# - '/dev' can be omitted for device names that begin with: xvd, sd, hd, vd
|
|
# - if an entry does not have all 6 fields, they will be filled in
|
|
# with values from 'mount_default_fields' below.
|
|
#
|
|
# Note, that you should set 'nofail' (see man fstab) for volumes that may
|
|
# not be attached at instance boot (or reboot)
|
|
#
|
|
mounts:
|
|
- [ ephemeral0, /mnt, auto, "defaults,noexec" ]
|
|
- [ sdc, /opt/data ]
|
|
- [ xvdh, /opt/data, "auto", "defaults,nofail", "0", "0" ]
|
|
- [ dd, /dev/zero ]
|
|
|
|
# mount_default_fields
|
|
# These values are used to fill in any entries in 'mounts' that are not
|
|
# complete. This must be an array, and must have 7 fields.
|
|
mount_default_fields: [ None, None, "auto", "defaults,nofail", "0", "2" ]
|
|
|
|
# add each entry to ~/.ssh/authorized_keys for the configured user or the
|
|
# first user defined in the user definition directive.
|
|
ssh_authorized_keys:
|
|
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoUPND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ mykey@host
|
|
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5ozemNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbDc1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhTYWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw== smoser@brickies
|
|
|
|
# Send pre-generated ssh private keys to the server
|
|
# If these are present, they will be written to /etc/ssh and
|
|
# new random keys will not be generated
|
|
# in addition to 'rsa' as shown below, 'ecdsa' is also supported
|
|
ssh_keys:
|
|
rsa_private: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qcon2LZS/x
|
|
1cydPZ4pQpfjEha6WxZ6o8ci/Ea/w0n+0HGPwaxlEG2Z9inNtj3pgFrYcRztfECb
|
|
1j6HCibZbAzYtwIBIwJgO8h72WjcmvcpZ8OvHSvTwAguO2TkR6mPgHsgSaKy6GJo
|
|
PUJnaZRWuba/HX0KGyhz19nPzLpzG5f0fYahlMJAyc13FV7K6kMBPXTRR6FxgHEg
|
|
L0MPC7cdqAwOVNcPY6A7AjEA1bNaIjOzFN2sfZX0j7OMhQuc4zP7r80zaGc5oy6W
|
|
p58hRAncFKEvnEq2CeL3vtuZAjEAwNBHpbNsBYTRPCHM7rZuG/iBtwp8Rxhc9I5w
|
|
ixvzMgi+HpGLWzUIBS+P/XhekIjPAjA285rVmEP+DR255Ls65QbgYhJmTzIXQ2T9
|
|
luLvcmFBC6l35Uc4gTgg4ALsmXLn71MCMGMpSWspEvuGInayTCL+vEjmNBT+FAdO
|
|
W7D4zCpI43jRS9U06JVOeSc9CDk2lwiA3wIwCTB/6uc8Cq85D9YqpM10FuHjKpnP
|
|
REPPOyrAspdeOAV+6VKRavstea7+2DZmSUgE
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7XdewmZ3h8eIXJD7TRHtVW7aJX1ByifYtlL/HVzJ09nilCl+MSFrpbFnqjxyL8Rr/DSf7QcY/BrGUQbZn2Kc22PemAWthxHO18QJvWPocKJtlsDNi3 smoser@localhost
|
|
|
|
# remove access to the ec2 metadata service early in boot via null route
|
|
# the null route can be removed (by root) with:
|
|
# route del -host 169.254.169.254 reject
|
|
# default: false (service available)
|
|
disable_ec2_metadata: true
|
|
|
|
# run commands
|
|
# default: none
|
|
# runcmd contains a list of either lists or a string
|
|
# each item will be executed in order at rc.local like level with
|
|
# output to the console
|
|
# - if the item is a list, the items will be properly executed as if
|
|
# passed to execve(3) (with the first arg as the command).
|
|
# - if the item is a string, it will be simply written to the file and
|
|
# will be interpreted by 'sh'
|
|
#
|
|
# Note, that the list has to be proper yaml, so you have to escape
|
|
# any characters yaml would eat (':' can be problematic)
|
|
runcmd:
|
|
- [ ls, -l, / ]
|
|
- [ sh, -xc, "echo $(date) ': hello world!'" ]
|
|
- [ sh, -c, echo "=========hello world'=========" ]
|
|
- ls -l /root
|
|
# Note: Don't write files to /tmp from cloud-init use /run/somedir instead.
|
|
# Early boot environments can race systemd-tmpfiles-clean LP: #1707222.
|
|
- mkdir /run/mydir
|
|
- [ wget, "http://slashdot.org", -O, /run/mydir/index.html ]
|
|
|
|
|
|
# boot commands
|
|
# default: none
|
|
# This is very similar to runcmd above, but commands run very early
|
|
# in the boot process, only slightly after a 'boothook' would run.
|
|
# - bootcmd will run on every boot
|
|
# - 'cloud-init-per' command can be used to make bootcmd run exactly once
|
|
bootcmd:
|
|
- echo 192.168.1.130 us.archive.ubuntu.com > /etc/hosts
|
|
- [ cloud-init-per, once, mymkfs, mkfs, /dev/vdb ]
|
|
|
|
# This is an array of arrays or strings.
|
|
# if item is a string, then it is read as a module name
|
|
# if the item is an array it is of the form:
|
|
# name, frequency, arguments
|
|
# where 'frequency' is one of:
|
|
# once-per-instance
|
|
# always
|
|
# a python file in the CloudConfig/ module directory named
|
|
# cc_<name>.py
|
|
# example:
|
|
cloud_config_modules:
|
|
- mounts
|
|
- ssh_import_id
|
|
- ssh
|
|
- grub_dpkg
|
|
- [ apt_update_upgrade, always ]
|
|
- puppet
|
|
- disable_ec2_metadata
|
|
- runcmd
|
|
- byobu
|
|
|
|
# unverified_modules: []
|
|
# if a config module declares a set of distros as supported then it will be
|
|
# skipped if running on a different distro. to override this sanity check,
|
|
# provide a list of modules that should be run anyway in 'unverified_modules'.
|
|
# The default is an empty list (ie, trust modules).
|
|
#
|
|
# Example:
|
|
# unverified_modules: ['apt_update_upgrade']
|
|
# default: []
|
|
|
|
# ssh_import_id: [ user1, user2 ]
|
|
# ssh_import_id will feed the list in that variable to
|
|
# ssh-import-id, so that public keys stored in launchpad
|
|
# can easily be imported into the configured user
|
|
# This can be a single string ('smoser') or a list ([smoser, kirkland])
|
|
ssh_import_id: [smoser]
|
|
|
|
# Provide debconf answers / debian preseed values
|
|
#
|
|
# See debconf-set-selections man page.
|
|
#
|
|
# Default: none
|
|
#
|
|
apt:
|
|
debconf_selections:
|
|
# Force debconf priority to critical.
|
|
set1: debconf debconf/priority select critical
|
|
# Override default frontend to readline, but allow user to select.
|
|
set2: |
|
|
debconf debconf/frontend select readline
|
|
debconf debconf/frontend seen false
|
|
|
|
# manage byobu defaults
|
|
# byobu_by_default:
|
|
# 'user' or 'enable-user': set byobu 'launch-by-default' for the default user
|
|
# 'system' or 'enable-system' or 'enable':
|
|
# enable 'launch-by-default' for all users, do not modify default user
|
|
# 'disable': disable both default user and system
|
|
# 'disable-system': disable system
|
|
# 'disable-user': disable for default user
|
|
# not-set: no changes made
|
|
byobu_by_default: system
|
|
|
|
# disable ssh access as root.
|
|
# if you want to be able to ssh in to the system as the root user
|
|
# rather than as the 'ubuntu' user, then you must set this to false
|
|
# default: true
|
|
disable_root: false
|
|
|
|
# disable_root_opts: the value of this variable will prefix the
|
|
# respective key in /root/.ssh/authorized_keys if disable_root is true
|
|
# see 'man authorized_keys' for more information on what you can do here
|
|
#
|
|
# The string '$USER' will be replaced with the username of the default user.
|
|
# The string '$DISABLE_USER' will be replaced with the username to disable.
|
|
#
|
|
# disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit 142"
|
|
|
|
# disable ssh access for non-root-users
|
|
# To disable ssh access for non-root users, ssh_redirect_user: true can be
|
|
# provided for any use in the 'users' list. This will prompt any ssh login
|
|
# attempts as that user with a message like that in disable_root_opts which
|
|
# redirects the person to login as <default_username>
|
|
# This option can not be combined with either ssh_authorized_keys or
|
|
# ssh_import_id.
|
|
users:
|
|
- default
|
|
- name: blockeduser
|
|
ssh_redirect_user: true
|
|
|
|
|
|
# set the locale to a given locale
|
|
# default: en_US.UTF-8
|
|
locale: en_US.UTF-8
|
|
# render template default-locale.tmpl to locale_configfile
|
|
locale_configfile: /etc/default/locale
|
|
|
|
# resize_rootfs should the / filesystem be resized on first boot
|
|
# this allows you to launch an instance with a larger disk / partition
|
|
# and have the instance automatically grow / to accomoddate it
|
|
# set to 'False' to disable
|
|
# by default, the resizefs is done early in boot, and blocks
|
|
# if resize_rootfs is set to 'noblock', then it will be run in parallel
|
|
resize_rootfs: True
|
|
|
|
## hostname and /etc/hosts management
|
|
# cloud-init can handle updating some entries in /etc/hosts,
|
|
# and can set your hostname for you.
|
|
#
|
|
# if you do nothing you'll end up with:
|
|
# * /etc/hostname (and `hostname`) managed via: 'preserve_hostame: false'
|
|
# if you do not change /etc/hostname, it will be updated with the cloud
|
|
# provided hostname on each boot. If you make a change, then manual
|
|
# maintenance takes over, and cloud-init will not modify it.
|
|
#
|
|
# * /etc/hosts managed via: 'manage_etc_hosts: false'
|
|
# cloud-init will not manage /etc/hosts at all. It is in full manual
|
|
# maintenance mode.
|
|
#
|
|
# You can change the above behavior with the following config variables:
|
|
# Remember that these can be set in cloud-config via user-data,
|
|
# /etc/cloud/cloud.cfg or any file in /etc/cloud/cloud.cfg.d/
|
|
#
|
|
# == Hostname management (via /etc/hostname) ==
|
|
# * preserve_hostname:
|
|
# default: False
|
|
# If this option is set to True, then /etc/hostname will never updated
|
|
# The default behavior is to update it if it has not been modified by
|
|
# the user.
|
|
#
|
|
# * hostname:
|
|
# this option will be used wherever the 'hostname' is needed
|
|
# simply substitute it in the description above.
|
|
# ** If you wish to set your hostname, set it here **
|
|
# default: 'hostname' as returned by the metadata service
|
|
# on EC2, the hostname portion of 'local-hostname' is used
|
|
# which is something like 'ip-10-244-170-199'
|
|
#
|
|
# * fqdn:
|
|
# this option will be used wherever 'fqdn' is needed.
|
|
# simply substitute it in the description above.
|
|
# default: fqdn as returned by the metadata service. on EC2 'hostname'
|
|
# is used, so this is like: ip-10-244-170-199.ec2.internal
|
|
#
|
|
# == /etc/hosts management ==
|
|
#
|
|
# The cloud-config variable that covers management of /etc/hosts is
|
|
# 'manage_etc_hosts'
|
|
#
|
|
# By default, its value is 'false' (boolean False)
|
|
#
|
|
# * manage_etc_hosts:
|
|
# default: false
|
|
#
|
|
# false:
|
|
# cloud-init will not modify /etc/hosts at all.
|
|
# * Whatever is present at instance boot time will be present after boot.
|
|
# * User changes will not be overwritten
|
|
#
|
|
# true:
|
|
# on every boot, /etc/hosts will be re-written from
|
|
# /etc/cloud/templates/hosts.tmpl.
|
|
# The strings '$hostname' and '$fqdn' are replaced in the template
|
|
# with the appropriate values.
|
|
# To make modifications persistent across a reboot, you must make
|
|
# modificatoins to /etc/cloud/templates/hosts.tmpl
|
|
#
|
|
# localhost:
|
|
# This option ensures that an entry is present for fqdn as described in
|
|
# section 5.1.2 of the debian manual
|
|
# http://www.debian.org/doc/manuals/debian-reference/ch05.en.html
|
|
#
|
|
# cloud-init will generally own the 127.0.1.1 entry, and will update
|
|
# it to the hostname and fqdn on every boot. All other entries will
|
|
# be left as is. 'ping `hostname`' will ping 127.0.1.1
|
|
#
|
|
# If you want a fqdn entry with aliases other than 'hostname' to resolve
|
|
# to a localhost interface, you'll need to use something other than
|
|
# 127.0.1.1. For example:
|
|
# 127.0.1.2 myhost.fqdn.example.com myhost whatup.example.com
|
|
|
|
# final_message
|
|
# default: cloud-init boot finished at $TIMESTAMP. Up $UPTIME seconds
|
|
# this message is written by cloud-final when the system is finished
|
|
# its first boot.
|
|
# This message is rendered as if it were a template. If you
|
|
# want jinja, you have to start the line with '## template:jinja\n'
|
|
final_message: "The system is finally up, after $UPTIME seconds"
|
|
|
|
# phone_home: if this dictionary is present, then the phone_home
|
|
# cloud-config module will post specified data back to the given
|
|
# url. Note that this example requires a `## template: jinja` header
|
|
# default: none
|
|
# phone_home:
|
|
# url: http://my.foo.bar/{{ v1.instance_id }}/
|
|
# post: all
|
|
# tries: 10
|
|
#
|
|
phone_home:
|
|
url: http://my.example.com/{{ v1.instance_id }}/
|
|
post: [ pub_key_rsa, pub_key_ecdsa, instance_id ]
|
|
|
|
# timezone: set the timezone for this instance
|
|
# the value of 'timezone' must exist in /usr/share/zoneinfo
|
|
timezone: US/Eastern
|
|
|
|
# you can set passwords for a user or multiple users
|
|
# this is off by default.
|
|
# to set the default user's password, use the 'password' option.
|
|
# if set, to 'R' or 'RANDOM', then a random password will be
|
|
# generated and written to stdout (the console)
|
|
# password: passw0rd
|
|
#
|
|
# also note, that this will expire the password, forcing a change
|
|
# on first login. If you do not want to expire, see 'chpasswd' below.
|
|
#
|
|
# By default in the UEC images password authentication is disabled
|
|
# Thus, simply setting 'password' as above will only allow you to login
|
|
# via the console.
|
|
#
|
|
# in order to enable password login via ssh you must set
|
|
# 'ssh_pwauth'.
|
|
# If it is set, to 'True' or 'False', then sshd_config will be updated
|
|
# to ensure the desired function. If not set, or set to '' or 'unchanged'
|
|
# then sshd_config will not be updated.
|
|
# ssh_pwauth: True
|
|
#
|
|
# there is also an option to set multiple users passwords, using 'chpasswd'
|
|
# That looks like the following, with 'expire' set to 'True' by default.
|
|
# to not expire users passwords, set 'expire' to 'False'. Also possible
|
|
# to set hashed password, here account 'user3' has a password it set to
|
|
# 'cloud-init', hashed with SHA-256:
|
|
# chpasswd:
|
|
# users:
|
|
# - name: user1
|
|
# password: password1
|
|
# type: text
|
|
# - user2
|
|
# type: RANDOM
|
|
# - user3
|
|
# password: $5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA
|
|
# type: hash
|
|
# expire: True
|
|
# ssh_pwauth: [ True, False, "" or "unchanged" ]
|
|
#
|
|
# Hashed passwords can be generated in multiple ways, example with python3 and the passlib module:
|
|
# python3 -c 'import passlib.hash;print(passlib.hash.sha512_crypt.hash("password"))'
|
|
# Newer versions of 'mkpasswd' will also work: mkpasswd -m sha-512 password
|
|
#
|
|
# So, a simple working example to allow login via ssh, and not expire
|
|
# for the default user would look like:
|
|
password: passw0rd
|
|
chpasswd: { expire: False }
|
|
ssh_pwauth: True
|
|
|
|
## configure interaction with ssh server
|
|
# ssh_svcname: ssh
|
|
# set the name of the option to 'service restart'
|
|
# in order to restart the ssh daemon. For fedora, use 'sshd'
|
|
# default: ssh
|
|
# ssh_deletekeys: True
|
|
# boolean indicating if existing ssh keys should be deleted on a
|
|
# per-instance basis. On a public image, this should absolutely be set
|
|
# to 'True'
|
|
# ssh_genkeytypes: ['rsa', 'ecdsa']
|
|
# a list of the ssh key types that should be generated
|
|
# These are passed to 'ssh-keygen -t'
|
|
|
|
## configuration of ssh keys output to console
|
|
# ssh_fp_console_blacklist: []
|
|
# ssh_key_console_blacklist: [ssh-dss]
|
|
# A list of key types (first token of a /etc/ssh/ssh_key_*.pub file)
|
|
# that should be skipped when outputting key fingerprints and keys
|
|
# to the console respectively.
|
|
|
|
## poweroff or reboot system after finished
|
|
# default: none
|
|
#
|
|
# power_state can be used to make the system shutdown, reboot or
|
|
# halt after boot is finished. This same thing can be achieved by
|
|
# user-data scripts or by runcmd by simply invoking 'shutdown'.
|
|
#
|
|
# Doing it this way ensures that cloud-init is entirely finished with
|
|
# modules that would be executed, and avoids any error/log messages
|
|
# that may go to the console as a result of system services like
|
|
# syslog being taken down while cloud-init is running.
|
|
#
|
|
# delay: form accepted by shutdown. default is 'now'. other format
|
|
# accepted is an integer for the number of minutes to delay
|
|
# mode: required. must be one of 'poweroff', 'halt', 'reboot'
|
|
# message: provided as the message argument to 'shutdown'. default is none.
|
|
power_state:
|
|
delay: 30
|
|
mode: poweroff
|
|
message: Bye Bye
|