I’m new to Fedora CoreOS but actually wrote some of the original documentation for installing on physical machines in 2014 when it was just CoreOS)and I am working on an FCCT config to run HashiCorp Consul on EC2 with Terraform. Since I am using the provided Fedora CoreOS AMI and Terraform, I am trying to keep everything in Terraform and not build a custom AMI to keep everything simple.
My FCCT is performing the following tasks:
- Uses the
storage.files
to download the binary from HashiCorp releases - Runs a container to unzip the Consul file as FCOS does not have unzip available
- Sets some permissions (maybe this should be setting up SELinux properly)
variant: fcos
version: 1.2.0
passwd:
users:
- name: core
groups: [sudo, docker]
ssh_authorized_keys:
- "thekey"
- name: consul
system: true
home_dir: /etc/consul.d
shell: /bin/false
systemd:
units:
- name: install-consul.service
enabled: true
contents: |
[Unit]
Before=consul.service
After=network-online.target docker.service
ConditionPathExists=!/usr/local/bin/consul
[Service]
Type=oneshot
ExecStart=/usr/local/bin/install-consul.sh
RemainAfterExit=yes
[Install]
WantedBy=consul.service
- name: consul.service
enabled: true
contents: |
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
Wants=install-consul.service
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
[Service]
Type=notify
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
storage:
directories:
- path: /etc/consul.d
user:
name: consul
group:
name: consul
- path: /opt/consul
user:
name: consul
group:
name: consul
- path: /opt/bootstrap
files:
- path: /opt/bootstrap/consul.zip
contents:
source: https://releases.hashicorp.com/consul/${consul_version}/consul_${consul_version}_linux_amd64.zip
- path: /usr/local/bin/install-consul.sh
mode: 0755
contents:
inline: |
#!/bin/bash
docker run --rm -v /opt/bootstrap:/tmp:z --workdir=/tmp alpine:latest unzip consul.zip
mv /opt/bootstrap/consul /usr/local/bin/
chown root:root /usr/local/bin/consul
chmod 755 /usr/local/bin/consul
# should not be doing this
setenforce 0
- path: /etc/consul.d/consul.hcl
contents:
inline: |
datacenter = "${datacenter}"
server = true
bootstrap_expect = ${bootstrap_expect}
data_dir = "/opt/consul/data"
advertise_addr = "{{GetInterfaceIP \"ens5\"}}"
client_addr = "0.0.0.0"
log_level = "INFO"
ui_config {
enabled = true
}
However, I am not able to get the systemd unit to run properly as it displays the following in journalctl:
consul.service: Failed at step EXEC spawning /usr/local/bin/consul: Permission denied
I can get it to run by running setenforce 0
as part of the install-consul.service
script, but obviously this is not the best solution.
Is there a better way to set this up? I realize that FCOS is really designed for containers, but is there something I am missing in the documentation? I realize I could move this into a container image and pull it, but the FCCT makes it really easy with Terraform to really keep IAAC and deployments light.
I am touching up on SELinux but is there a way to use SELinux to determine that labels I should be setting/using?