Overview
This is a flavour containing the haproxy load-balancing proxy. You MUST copy in your own haproxy.conf file, the default setup is hard-coded example.
The flavour includes a local consul agent instance to be available that it can connect to (see configuration below). You can e.g. use the consul pot flavour on this site to run consul. If no consul instance is available at first, make sure it’s up within an hour and the certificate renewal process will restart consul. You can also connect to this host and service consul restart manually.
Installation
- Create a ZFS data set on the parent system beforehand
zfs create -o mountpoint=/mnt/haproxydata zroot/haproxydata - Create your local jail from the image or the flavour files.
- Clone the local jail
- Mount in the ZFS data set you created
pot mount-in -p <jailname> -m /mnt -d /mnt/haproxydata - Copy in the SSH private key for the user on the Vault leader:
pot copy-in -p <jailname> -s /root/sshkey -d /root/sshkey - Copy in YOUR haproxy.conf file, and do not change the destination path:
pot copy-in -p <jailname> -s /root/haproxy.conf -d /root/haproxy.conf - Adjust to your environment:
sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \ -E IP=<IP address of this system> -E PUBLICIP=<Public IP for HAProxy frontend> \ -E CONSULSERVERS='<correctly formatted list of quoted IP addresses>' \ -E VAULTSERVER=<IP address vault server> -E VAULTTOKEN=<token> \ -E SFTPUSER=certuser -E SFTPPASS=<password> -E GOSSIPKEY=<32 byte Base64 key from consul keygen>
The PUBLICIP parameter is the IP address to use as the front-end to haproxy.
The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'
The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.
The VAULTSERVER parameter is the IP address of the vault server to authenticate to, and obtain certificates from.
The VAULTTOKEN parameter is the issued token from the vault server.
The SFTPUSER and SFTPPASS parameters are for the user on the vault leader in the VAULTSERVER parameter. You need to copy in the id_rsa from there to the host of this image.
Usage
To configure haproxyyou must copy-in a haproxy.conf file with your specific front-end and back-end parameters.
This will be copied to /usr/local/etc/haproxy.conf and used for haproxy startup.
If you don’t copy-in your own haproxy.conf file, then please take note the default is a round-robin webserver example with hard-coded IP addresses.
Persistent Storage
Persistent storage will be in the ZFS data set zroot/haproxydata, available inside the image at /mnt
If you stop the image, the data will still exist, and a new image can be started up and still use it.
If you need to change the directory parameters for the ZFS data set, adjust the mount-in command accordingly for the source directory as mounted by the parent OS.
Do not adjust the image destination mount point at /mnt because haproxy is configured to use this directory for data.
Getting Started
- Image Readme
- How To Use The Ready-Made Image
- Alternatively: Create a Jail With This Flavour Yourself
- Version History
- Manual Image Download Links
- Jenkins Pot Creation Logs
How To Use The Ready-Made Image
FreeBSD 13.1:
pot import -p haproxy-amd64-13_1 -t 0.0.12 -U https://potluck.honeyguide.net/haproxy
FreeBSD 12.3:
pot import -p haproxy-amd64-12_3 -t 0.0.12 -U https://potluck.honeyguide.net/haproxy
If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P haproxy-amd64-13_1 -p my-cloned-jail -N alias -i "em0|10.10.10.10"
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Alternatively: Create a Jail With This Flavour Yourself
1. Create Flavour Files
Save all files and directories from https://github.com/hny-gd/potluck/tree/master/haproxy to /usr/local/etc/pot/flavours/
2. Create Jail From Flavour
Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update
with your FreeBSD version (e.g. 13.1) and the name your jail should get.
Note: Some images might require specific network configuration, double check the Overview-chapter at the top.
Version History
0.0.12
- Version bump for p3 rebuild
- Add checklist
0.0.11
- Version bump for FreeBSD-13.1 image
0.0.10
- Merged PR 26 and incrementing version in changelog and ini
0.0.9
- Rebuild for FreeBSD 12_3 and 13 & pot 13
0.0.8
- Setting stricter permissions on key.pem
0.0.7
- Removing sftppass, unsetting consul sysrc parameters where needed
0.0.6
- Fixing an overwrite of earlier correction
0.0.5
- General security improvements
0.0.4
- Tweaking mandatory variables for optional parameters
0.0.3
- Fixing tag error in README
0.0.2
- Consul uses port 8600 for DNS
0.0.1
- First bash at haproxy image
0.0.0
- Initiate file
These images were built on Sat Nov 5 00:00:40 UTC 2022
Manual Image Download Links
haproxy-amd64-13_1_0.0.12.xz (
)
haproxy-amd64-13_1_0.0.12.xz.skein (
)
haproxy-amd64-13_1_0.0.12.xz.meta (
)
haproxy-amd64-12_3_0.0.12.xz (
483.327 MB
)
haproxy-amd64-12_3_0.0.12.xz.skein (
0.250977 KB
)
haproxy-amd64-12_3_0.0.12.xz.meta (
0.00195312 KB
)
Jenkins Pot Creation Logs
haproxy-amd64-13_1_0.0.12:
haproxy/haproxy:
copy-in -s /usr/local/etc/pot/flavours/haproxy.d/syslog-ng.conf -d /root
set-attribute -A start-at-boot -V YES
haproxy/haproxy.sh:
#!/bin/sh
# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
# make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
# contains the copy-in commands for the config files from <flavour>.d/
# Remember that the package directories don't exist yet, so likely copy
# to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
# Configure the config files that have been copied in where necessary
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# set the cook log path/filename
COOKLOG=/var/log/cook.log
# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
echo "Creating $COOKLOG" | tee -a $COOKLOG
else
echo "WARNING $COOKLOG already exists" | tee -a $COOKLOG
fi
date >> $COOKLOG
# -------------------- COMMON ---------------
STEPCOUNT=0
step() {
STEPCOUNT=$(("$STEPCOUNT" + 1))
STEP="$*"
echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}
exit_ok() {
trap - EXIT
exit 0
}
FAILED=" failed"
exit_error() {
STEP="$*"
FAILED=""
exit 1
}
set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT
# -------------- BEGIN PACKAGE SETUP -------------
step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# only modify repo if not already done in base image
# shellcheck disable=SC2016
test -e /usr/local/etc/pkg/repos/FreeBSD.conf || \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
>/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
step "Touch /etc/rc.conf"
touch /etc/rc.conf
# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
# shellcheck disable=SC2015
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true
step "Disable sendmail"
service sendmail onedisable
step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d
# we need consul for consul agent
step "Install package consul"
pkg install -y consul
step "Install package node_exporter"
pkg install -y node_exporter
step "Install package haproxy"
pkg install -y haproxy
step "Install package sudo"
pkg install -y sudo
step "Install package curl"
pkg install -y curl
step "Install package jq"
pkg install -y jq
step "Install package jo"
pkg install -y jo
step "Install package vault"
pkg install -y vault
step "Install package syslog-ng"
pkg install -y syslog-ng
step "Clean package installation"
pkg clean -y
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# clear any old cook runtime file
step "Remove pre-existing cook script (if any)"
rm -f /usr/local/bin/cook
# this runs when image boots
# ----------------- BEGIN COOK ------------------
step "Create cook script"
echo "#!/bin/sh
RUNS_IN_NOMAD=$RUNS_IN_NOMAD
# declare this again for the pot image, might work carrying variable through like
# with above
COOKLOG=/var/log/cook.log
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return),
# we block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
/bin/sh /etc/rc
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
# not needed, not started automatically, needs configuring
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
#
# Check config variables are set
#
if [ -z \${DATACENTER+x} ]; then
echo 'DATACENTER is unset - see documentation to configure this flavour with the datacenter name. This parameters is mandatory.'
exit 1
fi
if [ -z \${NODENAME+x} ];
then
echo 'NODENAME is unset - see documentation to configure this flavour with a name for this node. This parameter is mandatory.'
exit 1
fi
if [ -z \${CONSULSERVERS+x} ]; then
echo 'CONSULSERVERS is unset - please pass in one or more correctly-quoted, comma-separated addresses for consul peer IPs. Refer to documentation. This parameter is mandatory.'
exit 1
fi
if [ -z \${IP+x} ]; then
echo 'IP is unset - see documentation to configure this flavour for an IP address. This parameter is mandatory.'
exit 1
fi
if [ -z \${PUBLICIP+x} ]; then
echo 'PUBLICIP is unset - see documentation to configure this flavour for a public IP address for haproxy frontend. This parameter is mandatory.'
exit 1
fi
if [ -z \${VAULTSERVER+x} ];
then
echo 'VAULTSERVER is unset - see documentation to set the vault server IP address. This is required to obtain certificates. This parameter is mandatory.'
exit 1
fi
# we need a token from the vault server
if [ -z \${VAULTTOKEN+x} ];
then
echo 'VAULTTOKEN is unset - a vault token is required to obtain certificates. Refer to documentation. This parameters is mandatory.'
exit 1
fi
# GOSSIPKEY is a 32 byte, Base64 encoded key generated with consul keygen for the consul flavour.
# Re-used for nomad, which is usually 16 byte key but supports 32 byte, Base64 encoded keys
# We'll re-use the one from the consul flavour
if [ -z \${GOSSIPKEY+x} ];
then
echo 'GOSSIPKEY is unset - please provide a 32 byte base64 key from the (consul keygen key) command. This parameter is mandatory.'
exit 1
fi
# sftpuser credentials
if [ -z \${SFTPUSER+x} ];
then
echo 'SFTPUSER is unset - please provide a username to use for the SFTP user on the vault leader. This parameter is mandatory.'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# add group for accessing certs (shared between services)
/usr/sbin/pw groupadd certaccess
# some basic ssh setup
echo \"Initialising ssh settings\"
mkdir -p /root/.ssh
chmod 700 /root/.ssh
touch /root/.ssh/authorized_keys
if [ -f /root/sshkey ] && [ ! -f /root/.ssh/id_rsa ]; then
cp /root/sshkey /root/.ssh/id_rsa
chmod 600 /root/.ssh/id_rsa
ssh-keygen -f /root/.ssh/id_rsa -y > /root/.ssh/id_rsa.pub
fi
# setup temp directory for temp certs
mkdir -p /tmp/tmpcerts
# echo a message to user
echo \"\"
echo \"########################### IMPORTANT NOTICE ###########################\"
echo \"\"
echo \"Make sure to copy in id_rsa from vault leader certuser instance!\"
echo \"\"
echo \"########################################################################\"
echo \"\"
# end client
# retrieve first round of certificates from vault leader via sftp
echo \"Get first round of certificates from vault leader via sftp\"
if [ -f /root/.ssh/id_rsa ]; then
cd /tmp/tmpcerts
# wildcard retrieval works manually but not in the script, so we specify each file to retrieve
/usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/cert.pem
(umask 137; /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/key.pem)
chgrp certaccess key.pem
/usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/ca.pem
/usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/combinedca.pem
cd ~
fi
# setup directories for vault usage
mkdir -p /mnt/templates
mkdir -p /mnt/certs/hash
chgrp -R certaccess /mnt/certs
mkdir -p /mnt/vault
## start consul
# make consul configuration directory and set permissions
mkdir -p /usr/local/etc/consul.d
chmod 750 /usr/local/etc/consul.d
# Create the consul agent config file with imported variables
echo \"{
\\\"advertise_addr\\\": \\\"\$IP\\\",
\\\"datacenter\\\": \\\"\$DATACENTER\\\",
\\\"node_name\\\": \\\"\$NODENAME\\\",
\\\"data_dir\\\": \\\"/var/db/consul\\\",
\\\"dns_config\\\": {
\\\"a_record_limit\\\": 3,
\\\"enable_truncate\\\": true
},
\\\"verify_incoming\\\": true,
\\\"verify_outgoing\\\": true,
\\\"verify_server_hostname\\\":false,
\\\"verify_incoming_rpc\\\": true,
\\\"ca_file\\\": \\\"/mnt/certs/combinedca.pem\\\",
\\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
\\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
\\\"log_file\\\": \\\"/var/log/consul/\\\",
\\\"log_level\\\": \\\"WARN\\\",
\\\"encrypt\\\": \\\"\$GOSSIPKEY\\\",
\\\"start_join\\\": [ \$CONSULSERVERS ],
\\\"telemetry\\\": {
\\\"prometheus_retention_time\\\": \\\"24h\\\",
\\\"disable_hostname\\\": true
},
\\\"service\\\": {
\\\"address\\\": \\\"\$IP\\\",
\\\"name\\\": \\\"node-exporter\\\",
\\\"tags\\\": [\\\"_app=prometheus\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\", \\\"_datacenter=\$DATACENTER\\\"],
\\\"port\\\": 9100
}
}\" | (umask 177; cat > /usr/local/etc/consul.d/agent.json)
# set owner on /usr/local/etc/consul.d/
chown -R consul:wheel /usr/local/etc/consul.d/
# enable consul
service consul enable
# set load parameter for consul config
sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
# setup consul logs, might be redundant if not specified in agent.json above
mkdir -p /var/log/consul
touch /var/log/consul/consul.log
chown -R consul:wheel /var/log/consul
# add the consul user to the certaccess group
/usr/sbin/pw usermod consul -G certaccess
## end consul
## start Vault
# first remove any existing vault configuration
if [ -f /usr/local/etc/vault/vault-server.hcl ]; then
rm /usr/local/etc/vault/vault-server.hcl
fi
# then setup a fresh vault.hcl specific to the type of image
# default freebsd vault.hcl is /usr/local/etc/vault.hcl and
# the init script /usr/local/etc/rc.d/vault refers to this
# but many vault docs refer to /usr/local/etc/vault/vault-server.hcl
# or similar
# begin vault config
# we're setting a config file but not actually running the vault service
# certificate rotation is being done with a cron job
# token rotation may require the vault service
echo \"disable_mlock = true
ui = false
vault {
address = \\\"\$VAULTSERVER:8200\\\"
retry {
num_retries = 5
}
}
storage \\\"file\\\" {
path = \\\"/mnt/vault/data\\\"
}
#template {
# source = \\\"/mnt/templates/cert.tpl\\\"
# destination = \\\"/mnt/certs/cert.pem\\\"
#}
#template {
# source = \\\"/mnt/templates/ca.tpl\\\"
# destination = \\\"/mnt/certs/ca.pem\\\"
#}
#template {
# source = \\\"/mnt/templates/key.tpl\\\"
# destination = \\\"/mnt/certs/key.pem\\\"
}\" | (umask 177; cat > /usr/local/etc/vault.hcl)
# Set permission for vault.hcl, so that vault can read it
chown vault:wheel /usr/local/etc/vault.hcl
# This is not in use
# setup template files for certificates
echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl
echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl
echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl
# set permissions on /mnt for vault data
chown -R vault:wheel /mnt/vault
# invite to certaccess group
/usr/sbin/pw usermod vault -G certaccess
# setup rc.conf entries
# we do not set vault_user=vault because vault will not start
# we're not starting vault as a service
service vault enable
sysrc vault_login_class=root
sysrc vault_syslog_output_enable=\"YES\"
sysrc vault_syslog_output_priority=\"warn\"
# new CA cert retrieval process with curl
echo \"Retrieving CA certificates from Vault leader\"
# get the root CA
/usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/CA_cert.pem https://\$VAULTSERVER:8200/v1/pki/ca/pem
# append a new line to the file, as will concat together later with another file
if [ -s /mnt/certs/CA_cert.pem ]; then
echo \"\" >> /mnt/certs/CA_cert.pem
fi
# get the intermediate CA
/usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/intermediate.cert.pem https://\$VAULTSERVER:8200/v1/pki_int/ca/pem
# append a new line to the file, as will concat together later with another file
if [ -s /mnt/certs/intermediate.cert.pem ]; then
echo \"\" >> /mnt/certs/intermediate.cert.pem
fi
# validate the certificates
echo \"Validating CA certificates\"
if [ -s /mnt/certs/CA_cert.pem ] && [ -s /mnt/certs/intermediate.cert.pem ]; then
/usr/bin/openssl verify -CAfile /mnt/certs/CA_cert.pem /mnt/certs/intermediate.cert.pem
fi
# unwrap the pki token issued by vault leader
echo \"Unwrapping passed in token...\"
(umask 177; /usr/local/bin/vault unwrap -address=https://\$VAULTSERVER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem -format=json \$VAULTTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token)
sleep 1
if [ -s /root/unwrapped.token ]; then
echo \"Token unwrapped\"
THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
echo \"Logging in to vault leader to authenticate\"
(umask 177; echo \"\$THIS_TOKEN\" | /usr/local/bin/vault login -address=https://\$VAULTSERVER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem -method=token -field=token token=- > /root/login.token)
fi
# get list of secrets engines (helps cluster to align)
/usr/local/bin/vault secrets list -address=https://\$VAULTSERVER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem
echo \"Setting certificate payload\"
if [ -s /root/login.token ]; then
# generate certificates to use
# using this payload.json approach to avoid nested single and double quotes for expansion
# new way of generating payload.json with jo
/usr/local/bin/jo -p common_name=\$IP alt_names=\$NODENAME ttl=24h ip_sans=\"\$IP,127.0.0.1\" format=pem > /mnt/templates/payload.json
# we use curl to get the certificates in json format as the issue command only has formats: pem, pem_bundle, der
# but no json format except via the API
echo \"Generating certificates to use from Vault\"
HEADER=\$(/bin/cat /root/login.token)
(umask 177; /usr/local/bin/curl --cacert /tmp/tmpcerts/combinedca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json)
# extract the required certificates to individual files
/usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
# append the ca cert to the cert
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem)
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
# haproxy requires certificate and key in a single file
(umask 137; /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/certkey.pem)
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json >> /mnt/certs/certkey.pem)
cd /mnt/certs
# concat the root CA and intermediary CA into combined file
cat /mnt/certs/CA_cert.pem /mnt/certs/ca.pem > /mnt/certs/combinedca.pem
# steps here to hash ca, required for syslog-ng
ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
cd /root
# set permissions on /mnt/certs for vault
chown -R vault:certaccess /mnt/certs
# Setting root:certaccess and 0640 on key across images
chown root:certaccess /mnt/certs/key.pem
chmod 640 /mnt/certs/key.pem
# validate the certificates
echo \"Validating client certificate\"
if [ -s /mnt/certs/combinedca.pem ] && [ -s /mnt/certs/cert.pem ]; then
/usr/bin/openssl verify -CAfile /mnt/certs/combinedca.pem /mnt/certs/cert.pem
fi
# setup certificate rotation script
echo \"Setting up certificate rotation script\"
echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
if [ -s /root/login.token ]; then
LOGINTOKEN=\\\$(/bin/cat /root/login.token)
HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
(umask 177; /usr/local/bin/curl --cacert /mnt/certs/combinedca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json)
# extract the required certificates to individual files
/usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem)
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
# haproxy requires certificate and key in a single file
(umask 137; /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/certkey.pem)
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json >> /mnt/certs/certkey.pem)
cd /mnt/certs
# concat the root CA and intermediary CA into combined file
cat CA_cert.pem ca.pem > combinedca.pem
# steps here to hash ca
ln -s ca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
ln -s combinedca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
cd /root
# set permissions on /mnt/certs for vault
chown -R vault:certaccess /mnt/certs
# Setting root:certaccess and 0640 on key across images
chown root:certaccess /mnt/certs/key.pem
chmod 640 /mnt/certs/key.pem
# restart services
service consul reload
service consul status || service consul start
service syslog-ng restart
service haproxy reload
else
echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh
if [ -f /root/rotate-certs.sh ]; then
# make executable
chmod +x /root/rotate-certs.sh
# add a crontab entry for every hour
echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
fi
# start consul agent
service consul start
echo \"starting syslog-ng setup\"
# rsyslog setup
# setup log directory for stored logs
mkdir -p /mnt/logs
if [ -f /root/syslog-ng.conf ]; then
/usr/bin/sed -i .orig \"s/MYIP/\$IP/g\" /root/syslog-ng.conf
cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
# stop syslogd
service syslogd onestop || true
# setup sysrc entries to start and set parameters to accept logs from remote subnet
sysrc syslogd_enable=\"NO\"
sysrc syslog_ng_enable=\"YES\"
#sysrc syslog_ng_flags=\"-u daemon\"
sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
/usr/local/etc/rc.d/syslog-ng start
echo \"syslog-ng setup complete\"
else
echo \"/root/syslog-ng.conf is missing?\"
fi
else
echo \"ERROR: There was a problem logging into vault and no certificates were retrieved. Vault not started.\"
fi
# if a copied in haproxy.conf exists, then use that
if [ -f /root/haproxy.conf ]; then
cp -f /root/haproxy.conf /usr/local/etc/haproxy.conf
else
# if no copy-in, create a generic default config file
# note that haproxy crt parameter requires the certificate and key in a single file
# unlike other setups in potluck repository
echo \"global
daemon
maxconn 4096
stats socket /tmp/haproxy.sock level admin
server-state-file /tmp/haproxy.serverstates
description HAProxy
ca-base /mnt/certs
crt-base /mnt/certs
resolvers consul
nameserver consul \$IP:8600
accepted_payload_size 8192
defaults
log global
mode http
option httplog
option socket-stats
load-server-state-from-file global
timeout connect 5s
timeout client 10s
timeout server 10s
frontend stats
bind \$IP:8404
mode http
option forceclose
stats enable
stats uri /
stats show-legends
stats show-desc
stats show-node
stats refresh 5s
frontend www
bind \$PUBLICIP:80
option forwardfor
http-request redirect scheme https unless { ssl_fc }
default_backend webservers
backend webservers
balance roundrobin
server server1 10.0.1.1:443 check maxconn 20 ssl ca-file /mnt/certs/ca.pem crt /mnt/certs/certkey.pem ssl-min-ver TLSv1.2
server server2 10.0.2.1:443 check maxconn 20 ssl ca-file /mnt/certs/ca.pem crt /mnt/certs/certkey.pem ssl-min-ver TLSv1.2
\" > /usr/local/etc/haproxy.conf
fi
# HAProxy setup
service haproxy enable
if [ -f /usr/local/etc/haproxy.conf ]; then
service haproxy start
fi
echo \"You must pass in a haproxy.conf file with all the relevant parameters for your environment.\"
echo \"The default is an example round-robin setup for webservers on 10.27.9.2 and 10.27.9.3 which are hard-coded for now\"
# node exporter needs tls setup
echo \"tls_server_config:
cert_file: /mnt/certs/cert.pem
key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml
# enable node_exporter service
# add node_exporter user
/usr/sbin/pw useradd -n nodeexport -c 'nodeexporter user' -m -s /usr/bin/nologin -h -
# invite node_exporter to certaccess group
/usr/sbin/pw usermod nodeexport -G certaccess
# enable node_exporter service
service node_exporter enable
sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"
sysrc node_exporter_user=nodeexport
sysrc node_exporter_group=nodeexport
# start node_exporter
service node_exporter start
#
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
# start services
#
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
/bin/sh /etc/rc
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
chmod u+x /usr/local/bin/cook
else
exit_error "there is no /usr/local/bin/cook to make executable"
fi
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG
# shellcheck disable=SC2016
echo '#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name="cook"
rcvar="cook_enable"
load_rc_config $name
: ${cook_enable:="NO"}
: ${cook_env:=""}
command="/usr/local/bin/cook"
command_args=""
run_rc_command "$1"
' > /usr/local/etc/rc.d/cook
step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
chmod u+x /usr/local/etc/rc.d/cook
else
exit_error "/usr/local/etc/rc.d/cook does not exist"
fi
if [ "$RUNS_IN_NOMAD" != "true" ]
then
step "Enable cook service"
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "enabling cook" | tee -a $COOKLOG
service cook enable
fi
# -------------------- DONE ---------------
exit_ok
haproxy/haproxy+1:
haproxy/haproxy+1.sh:
haproxy/haproxy+2:
haproxy/haproxy+2.sh:
haproxy/haproxy+3:
haproxy/haproxy+3.sh:
haproxy/haproxy+4:
haproxy/haproxy+4.sh:
Password:=====> Create conf dir (/mnt/srv/pot/jails/haproxy-amd64-13_1/conf)
=====> Cloning freebsd-potluck-amd64-13_1_0_0_6 with snap
=====> clone zroot/srv/pot/jails/freebsd-potluck-amd64-13_1_0_0_6/m@1667591523 into zroot/srv/pot/jails/haproxy-amd64-13_1/m
=====> Setting mountpoint permission for /mnt/srv/pot/jails/haproxy-amd64-13_1/m
=====> Flavour: fbsd-update
=====> Starting haproxy-amd64-13_1 pot for the initial bootstrap
=====> mount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot haproxy-amd64-13_1
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ca:be:ec:80:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating motd:.
Creating and/or trimming log files.
Updating /var/run/os-release done.
Clearing /tmp (X related).
Starting syslogd.
Starting cron.
Starting sendmail_outbound.
Fri Nov 4 23:50:10 UTC 2022
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on haproxy-amd64-13_1
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 13.1-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 13.1-RELEASE-p3.
No updates are available to install.
=====> Stop the pot haproxy-amd64-13_1
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/dev
=====> Flavour: haproxy
=====> Executing haproxy pot commands on haproxy-amd64-13_1
=====> mount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp
=====> Source /usr/local/etc/pot/flavours/haproxy.d/syslog-ng.conf copied in the pot haproxy-amd64-13_1
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp
=====> /mnt/srv/pot/jails/haproxy-amd64-13_1/m/dev is already unmounted
=====> Starting haproxy-amd64-13_1 pot for the initial bootstrap
=====> mount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot haproxy-amd64-13_1
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ab:74:0d:a8:0b
inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating motd:.
Creating and/or trimming log files.
Updating /var/run/os-release done.
Clearing /tmp (X related).
Starting syslogd.
Starting cron.
Starting sendmail_outbound.
Fri Nov 4 23:50:32 UTC 2022
/usr/local/etc/pot/flavours/haproxy.sh -> /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp/haproxy.sh
=====> Executing haproxy script on haproxy-amd64-13_1
WARNING /var/log/cook.log already exists
Step 1: Bootstrap package repo
pkg already bootstrapped at /usr/local/sbin/pkg
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_outbound disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Create /usr/local/etc/rc.d
Step 6: Install package consul
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
consul: 1.12.4_2
Number of packages to be installed: 1
The process will require 80 MiB more space.
15 MiB to be downloaded.
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.12.4_2.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.12.4_2...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.12.4_2: ..... done
Step 7: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
node_exporter: 1.3.1_6
Number of packages to be installed: 1
The process will require 11 MiB more space.
3 MiB to be downloaded.
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.3.1_6.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.3.1_6...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.3.1_6: .......... done
=====
Message from node_exporter-1.3.1_6:
--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 8: Install package haproxy
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
haproxy: 2.6.6
pcre2: 10.40
Number of packages to be installed: 2
The process will require 12 MiB more space.
3 MiB to be downloaded.
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching pcre2-10.40.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching haproxy-2.6.6.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/2] Installing pcre2-10.40...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting pcre2-10.40: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [2/2] Installing haproxy-2.6.6...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting haproxy-2.6.6: .......... done
Step 9: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 10: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 11: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 12: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 13: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vault: 1.8.7_6
Number of packages to be installed: 1
The process will require 118 MiB more space.
24 MiB to be downloaded.
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.8.7_6.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.8.7_6...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.8.7_6: ..... done
=====
Message from vault-1.8.7_6:
--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:
pw usermod -L daemon -n vault
or delete the user and reinstall the package.
You may also need to increase memorylocked for the daemon class in
/etc/rc.conf to more than 1024M (the default) or more:
vault_limits_mlock="2048M"
Or to disable mlock, add:
disable_mlock = 1
to /usr/local/etc/vault.hcl
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
e2fsprogs-libuuid: 1.46.5
glib: 2.74.0,2
json-c: 0.16
libffi: 3.4.2
libxml2: 2.10.3
mpdecimal: 2.5.1
pcre: 8.45_1
python39: 3.9.15
readline: 8.1.2
syslog-ng: 3.38.1
Number of packages to be installed: 10
The process will require 186 MiB more space.
26 MiB to be downloaded.
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/10] Fetching libxml2-2.10.3.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [2/10] Fetching mpdecimal-2.5.1.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [3/10] Fetching python39-3.9.15.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [4/10] Fetching pcre-8.45_1.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [5/10] Fetching glib-2.74.0,2.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [6/10] Fetching syslog-ng-3.38.1.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [7/10] Fetching libffi-3.4.2.pkg: ...... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [8/10] Fetching readline-8.1.2.pkg: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [9/10] Fetching json-c-0.16.pkg: ......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [10/10] Fetching e2fsprogs-libuuid-1.46.5.pkg: ..... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/10] Installing mpdecimal-2.5.1...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [1/10] Extracting mpdecimal-2.5.1: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [2/10] Installing libffi-3.4.2...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [2/10] Extracting libffi-3.4.2: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [3/10] Installing readline-8.1.2...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [3/10] Extracting readline-8.1.2: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [4/10] Installing libxml2-2.10.3...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [4/10] Extracting libxml2-2.10.3: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [5/10] Installing python39-3.9.15...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [5/10] Extracting python39-3.9.15: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [6/10] Installing pcre-8.45_1...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [6/10] Extracting pcre-8.45_1: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [7/10] Installing glib-2.74.0,2...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [7/10] Extracting glib-2.74.0,2: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [8/10] Installing json-c-0.16...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [8/10] Extracting json-c-0.16: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [9/10] Installing e2fsprogs-libuuid-1.46.5...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [9/10] Extracting e2fsprogs-libuuid-1.46.5: .......... done
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [10/10] Installing syslog-ng-3.38.1...
[haproxy-amd64-13_1.vsf00001.cpt.za.honeyguide.net] [10/10] Extracting syslog-ng-3.38.1: .......... done
Compiling glib schemas
No schema files found: doing nothing.
Generating GIO modules cache
=====
Message from python39-3.9.15:
--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:
py39-gdbm databases/py-gdbm@py39
py39-sqlite3 databases/py-sqlite3@py39
py39-tkinter x11-toolkits/py-tkinter@py39
=====
Message from syslog-ng-3.38.1:
--
syslog-ng is now installed! To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:
1. Create a configuration file named /usr/local/etc/syslog-ng.conf
(a sample named syslog-ng.conf.sample has been included in
/usr/local/etc). Note that this is a change in 2.0.2
version, previous ones put the config file in
/usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
move that file in the right place
2. Configure syslog-ng to start automatically by adding the following
to /etc/rc.conf:
syslog_ng_enable="YES"
3. Prevent the standard FreeBSD syslogd from starting automatically by
adding a line to the end of your /etc/rc.conf file that reads:
syslogd_enable="NO"
4. Shut down the standard FreeBSD syslogd:
kill `cat /var/run/syslog.pid`
5. Start syslog-ng:
/usr/local/etc/rc.d/syslog-ng start
Step 15: Clean package installation
Nothing to do.
Step 16: Remove pre-existing cook script (if any)
Step 17: Create cook script
Step 18: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 19: Create rc.d script to start cook
creating rc.d script to start cook
Step 20: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 21: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====> Stop the pot haproxy-amd64-13_1
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/tmp
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-13_1/m/dev
Password:Password:===> exporting haproxy-amd64-13_1 @ 1667605866 to /tmp/haproxy-amd64-13_1_0.0.12.xz
###> Origin freebsd-potluck-amd64-13_1_0_0_6 has no :pot.tag, please export first
haproxy-amd64-12_3_0.0.12:
haproxy/haproxy:
copy-in -s /usr/local/etc/pot/flavours/haproxy.d/syslog-ng.conf -d /root
set-attribute -A start-at-boot -V YES
haproxy/haproxy.sh:
#!/bin/sh
# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
# make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
# contains the copy-in commands for the config files from <flavour>.d/
# Remember that the package directories don't exist yet, so likely copy
# to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
# Configure the config files that have been copied in where necessary
# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false
# set the cook log path/filename
COOKLOG=/var/log/cook.log
# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
echo "Creating $COOKLOG" | tee -a $COOKLOG
else
echo "WARNING $COOKLOG already exists" | tee -a $COOKLOG
fi
date >> $COOKLOG
# -------------------- COMMON ---------------
STEPCOUNT=0
step() {
STEPCOUNT=$(("$STEPCOUNT" + 1))
STEP="$*"
echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}
exit_ok() {
trap - EXIT
exit 0
}
FAILED=" failed"
exit_error() {
STEP="$*"
FAILED=""
exit 1
}
set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT
# -------------- BEGIN PACKAGE SETUP -------------
step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# only modify repo if not already done in base image
# shellcheck disable=SC2016
test -e /usr/local/etc/pkg/repos/FreeBSD.conf || \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
>/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
step "Touch /etc/rc.conf"
touch /etc/rc.conf
# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
# shellcheck disable=SC2015
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true
step "Disable sendmail"
service sendmail onedisable
step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d
# we need consul for consul agent
step "Install package consul"
pkg install -y consul
step "Install package node_exporter"
pkg install -y node_exporter
step "Install package haproxy"
pkg install -y haproxy
step "Install package sudo"
pkg install -y sudo
step "Install package curl"
pkg install -y curl
step "Install package jq"
pkg install -y jq
step "Install package jo"
pkg install -y jo
step "Install package vault"
pkg install -y vault
step "Install package syslog-ng"
pkg install -y syslog-ng
step "Clean package installation"
pkg clean -y
# -------------- END PACKAGE SETUP -------------
#
# Create configurations
#
#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#
# clear any old cook runtime file
step "Remove pre-existing cook script (if any)"
rm -f /usr/local/bin/cook
# this runs when image boots
# ----------------- BEGIN COOK ------------------
step "Create cook script"
echo "#!/bin/sh
RUNS_IN_NOMAD=$RUNS_IN_NOMAD
# declare this again for the pot image, might work carrying variable through like
# with above
COOKLOG=/var/log/cook.log
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
# If this pot flavour is blocking (i.e. it should not return),
# we block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
/bin/sh /etc/rc
tail -f /dev/null
fi
exit 0
fi
# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION
# not needed, not started automatically, needs configuring
# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
. /tmp/environment.sh
fi
#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
#
# Check config variables are set
#
if [ -z \${DATACENTER+x} ]; then
echo 'DATACENTER is unset - see documentation to configure this flavour with the datacenter name. This parameters is mandatory.'
exit 1
fi
if [ -z \${NODENAME+x} ];
then
echo 'NODENAME is unset - see documentation to configure this flavour with a name for this node. This parameter is mandatory.'
exit 1
fi
if [ -z \${CONSULSERVERS+x} ]; then
echo 'CONSULSERVERS is unset - please pass in one or more correctly-quoted, comma-separated addresses for consul peer IPs. Refer to documentation. This parameter is mandatory.'
exit 1
fi
if [ -z \${IP+x} ]; then
echo 'IP is unset - see documentation to configure this flavour for an IP address. This parameter is mandatory.'
exit 1
fi
if [ -z \${PUBLICIP+x} ]; then
echo 'PUBLICIP is unset - see documentation to configure this flavour for a public IP address for haproxy frontend. This parameter is mandatory.'
exit 1
fi
if [ -z \${VAULTSERVER+x} ];
then
echo 'VAULTSERVER is unset - see documentation to set the vault server IP address. This is required to obtain certificates. This parameter is mandatory.'
exit 1
fi
# we need a token from the vault server
if [ -z \${VAULTTOKEN+x} ];
then
echo 'VAULTTOKEN is unset - a vault token is required to obtain certificates. Refer to documentation. This parameters is mandatory.'
exit 1
fi
# GOSSIPKEY is a 32 byte, Base64 encoded key generated with consul keygen for the consul flavour.
# Re-used for nomad, which is usually 16 byte key but supports 32 byte, Base64 encoded keys
# We'll re-use the one from the consul flavour
if [ -z \${GOSSIPKEY+x} ];
then
echo 'GOSSIPKEY is unset - please provide a 32 byte base64 key from the (consul keygen key) command. This parameter is mandatory.'
exit 1
fi
# sftpuser credentials
if [ -z \${SFTPUSER+x} ];
then
echo 'SFTPUSER is unset - please provide a username to use for the SFTP user on the vault leader. This parameter is mandatory.'
exit 1
fi
# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files
# add group for accessing certs (shared between services)
/usr/sbin/pw groupadd certaccess
# some basic ssh setup
echo \"Initialising ssh settings\"
mkdir -p /root/.ssh
chmod 700 /root/.ssh
touch /root/.ssh/authorized_keys
if [ -f /root/sshkey ] && [ ! -f /root/.ssh/id_rsa ]; then
cp /root/sshkey /root/.ssh/id_rsa
chmod 600 /root/.ssh/id_rsa
ssh-keygen -f /root/.ssh/id_rsa -y > /root/.ssh/id_rsa.pub
fi
# setup temp directory for temp certs
mkdir -p /tmp/tmpcerts
# echo a message to user
echo \"\"
echo \"########################### IMPORTANT NOTICE ###########################\"
echo \"\"
echo \"Make sure to copy in id_rsa from vault leader certuser instance!\"
echo \"\"
echo \"########################################################################\"
echo \"\"
# end client
# retrieve first round of certificates from vault leader via sftp
echo \"Get first round of certificates from vault leader via sftp\"
if [ -f /root/.ssh/id_rsa ]; then
cd /tmp/tmpcerts
# wildcard retrieval works manually but not in the script, so we specify each file to retrieve
/usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/cert.pem
(umask 137; /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/key.pem)
chgrp certaccess key.pem
/usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/ca.pem
/usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTSERVER:\$IP/combinedca.pem
cd ~
fi
# setup directories for vault usage
mkdir -p /mnt/templates
mkdir -p /mnt/certs/hash
chgrp -R certaccess /mnt/certs
mkdir -p /mnt/vault
## start consul
# make consul configuration directory and set permissions
mkdir -p /usr/local/etc/consul.d
chmod 750 /usr/local/etc/consul.d
# Create the consul agent config file with imported variables
echo \"{
\\\"advertise_addr\\\": \\\"\$IP\\\",
\\\"datacenter\\\": \\\"\$DATACENTER\\\",
\\\"node_name\\\": \\\"\$NODENAME\\\",
\\\"data_dir\\\": \\\"/var/db/consul\\\",
\\\"dns_config\\\": {
\\\"a_record_limit\\\": 3,
\\\"enable_truncate\\\": true
},
\\\"verify_incoming\\\": true,
\\\"verify_outgoing\\\": true,
\\\"verify_server_hostname\\\":false,
\\\"verify_incoming_rpc\\\": true,
\\\"ca_file\\\": \\\"/mnt/certs/combinedca.pem\\\",
\\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
\\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
\\\"log_file\\\": \\\"/var/log/consul/\\\",
\\\"log_level\\\": \\\"WARN\\\",
\\\"encrypt\\\": \\\"\$GOSSIPKEY\\\",
\\\"start_join\\\": [ \$CONSULSERVERS ],
\\\"telemetry\\\": {
\\\"prometheus_retention_time\\\": \\\"24h\\\",
\\\"disable_hostname\\\": true
},
\\\"service\\\": {
\\\"address\\\": \\\"\$IP\\\",
\\\"name\\\": \\\"node-exporter\\\",
\\\"tags\\\": [\\\"_app=prometheus\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\", \\\"_datacenter=\$DATACENTER\\\"],
\\\"port\\\": 9100
}
}\" | (umask 177; cat > /usr/local/etc/consul.d/agent.json)
# set owner on /usr/local/etc/consul.d/
chown -R consul:wheel /usr/local/etc/consul.d/
# enable consul
service consul enable
# set load parameter for consul config
sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
# setup consul logs, might be redundant if not specified in agent.json above
mkdir -p /var/log/consul
touch /var/log/consul/consul.log
chown -R consul:wheel /var/log/consul
# add the consul user to the certaccess group
/usr/sbin/pw usermod consul -G certaccess
## end consul
## start Vault
# first remove any existing vault configuration
if [ -f /usr/local/etc/vault/vault-server.hcl ]; then
rm /usr/local/etc/vault/vault-server.hcl
fi
# then setup a fresh vault.hcl specific to the type of image
# default freebsd vault.hcl is /usr/local/etc/vault.hcl and
# the init script /usr/local/etc/rc.d/vault refers to this
# but many vault docs refer to /usr/local/etc/vault/vault-server.hcl
# or similar
# begin vault config
# we're setting a config file but not actually running the vault service
# certificate rotation is being done with a cron job
# token rotation may require the vault service
echo \"disable_mlock = true
ui = false
vault {
address = \\\"\$VAULTSERVER:8200\\\"
retry {
num_retries = 5
}
}
storage \\\"file\\\" {
path = \\\"/mnt/vault/data\\\"
}
#template {
# source = \\\"/mnt/templates/cert.tpl\\\"
# destination = \\\"/mnt/certs/cert.pem\\\"
#}
#template {
# source = \\\"/mnt/templates/ca.tpl\\\"
# destination = \\\"/mnt/certs/ca.pem\\\"
#}
#template {
# source = \\\"/mnt/templates/key.tpl\\\"
# destination = \\\"/mnt/certs/key.pem\\\"
}\" | (umask 177; cat > /usr/local/etc/vault.hcl)
# Set permission for vault.hcl, so that vault can read it
chown vault:wheel /usr/local/etc/vault.hcl
# This is not in use
# setup template files for certificates
echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl
echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl
echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$NODENAME\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl
# set permissions on /mnt for vault data
chown -R vault:wheel /mnt/vault
# invite to certaccess group
/usr/sbin/pw usermod vault -G certaccess
# setup rc.conf entries
# we do not set vault_user=vault because vault will not start
# we're not starting vault as a service
service vault enable
sysrc vault_login_class=root
sysrc vault_syslog_output_enable=\"YES\"
sysrc vault_syslog_output_priority=\"warn\"
# new CA cert retrieval process with curl
echo \"Retrieving CA certificates from Vault leader\"
# get the root CA
/usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/CA_cert.pem https://\$VAULTSERVER:8200/v1/pki/ca/pem
# append a new line to the file, as will concat together later with another file
if [ -s /mnt/certs/CA_cert.pem ]; then
echo \"\" >> /mnt/certs/CA_cert.pem
fi
# get the intermediate CA
/usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/intermediate.cert.pem https://\$VAULTSERVER:8200/v1/pki_int/ca/pem
# append a new line to the file, as will concat together later with another file
if [ -s /mnt/certs/intermediate.cert.pem ]; then
echo \"\" >> /mnt/certs/intermediate.cert.pem
fi
# validate the certificates
echo \"Validating CA certificates\"
if [ -s /mnt/certs/CA_cert.pem ] && [ -s /mnt/certs/intermediate.cert.pem ]; then
/usr/bin/openssl verify -CAfile /mnt/certs/CA_cert.pem /mnt/certs/intermediate.cert.pem
fi
# unwrap the pki token issued by vault leader
echo \"Unwrapping passed in token...\"
(umask 177; /usr/local/bin/vault unwrap -address=https://\$VAULTSERVER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem -format=json \$VAULTTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token)
sleep 1
if [ -s /root/unwrapped.token ]; then
echo \"Token unwrapped\"
THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
echo \"Logging in to vault leader to authenticate\"
(umask 177; echo \"\$THIS_TOKEN\" | /usr/local/bin/vault login -address=https://\$VAULTSERVER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem -method=token -field=token token=- > /root/login.token)
fi
# get list of secrets engines (helps cluster to align)
/usr/local/bin/vault secrets list -address=https://\$VAULTSERVER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem
echo \"Setting certificate payload\"
if [ -s /root/login.token ]; then
# generate certificates to use
# using this payload.json approach to avoid nested single and double quotes for expansion
# new way of generating payload.json with jo
/usr/local/bin/jo -p common_name=\$IP alt_names=\$NODENAME ttl=24h ip_sans=\"\$IP,127.0.0.1\" format=pem > /mnt/templates/payload.json
# we use curl to get the certificates in json format as the issue command only has formats: pem, pem_bundle, der
# but no json format except via the API
echo \"Generating certificates to use from Vault\"
HEADER=\$(/bin/cat /root/login.token)
(umask 177; /usr/local/bin/curl --cacert /tmp/tmpcerts/combinedca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json)
# extract the required certificates to individual files
/usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
# append the ca cert to the cert
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem)
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
# haproxy requires certificate and key in a single file
(umask 137; /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/certkey.pem)
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json >> /mnt/certs/certkey.pem)
cd /mnt/certs
# concat the root CA and intermediary CA into combined file
cat /mnt/certs/CA_cert.pem /mnt/certs/ca.pem > /mnt/certs/combinedca.pem
# steps here to hash ca, required for syslog-ng
ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
cd /root
# set permissions on /mnt/certs for vault
chown -R vault:certaccess /mnt/certs
# Setting root:certaccess and 0640 on key across images
chown root:certaccess /mnt/certs/key.pem
chmod 640 /mnt/certs/key.pem
# validate the certificates
echo \"Validating client certificate\"
if [ -s /mnt/certs/combinedca.pem ] && [ -s /mnt/certs/cert.pem ]; then
/usr/bin/openssl verify -CAfile /mnt/certs/combinedca.pem /mnt/certs/cert.pem
fi
# setup certificate rotation script
echo \"Setting up certificate rotation script\"
echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
if [ -s /root/login.token ]; then
LOGINTOKEN=\\\$(/bin/cat /root/login.token)
HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
(umask 177; /usr/local/bin/curl --cacert /mnt/certs/combinedca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTSERVER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json)
# extract the required certificates to individual files
/usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem)
/usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
# haproxy requires certificate and key in a single file
(umask 137; /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/certkey.pem)
(umask 137; /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json >> /mnt/certs/certkey.pem)
cd /mnt/certs
# concat the root CA and intermediary CA into combined file
cat CA_cert.pem ca.pem > combinedca.pem
# steps here to hash ca
ln -s ca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
ln -s combinedca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
cd /root
# set permissions on /mnt/certs for vault
chown -R vault:certaccess /mnt/certs
# Setting root:certaccess and 0640 on key across images
chown root:certaccess /mnt/certs/key.pem
chmod 640 /mnt/certs/key.pem
# restart services
service consul reload
service consul status || service consul start
service syslog-ng restart
service haproxy reload
else
echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh
if [ -f /root/rotate-certs.sh ]; then
# make executable
chmod +x /root/rotate-certs.sh
# add a crontab entry for every hour
echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
fi
# start consul agent
service consul start
echo \"starting syslog-ng setup\"
# rsyslog setup
# setup log directory for stored logs
mkdir -p /mnt/logs
if [ -f /root/syslog-ng.conf ]; then
/usr/bin/sed -i .orig \"s/MYIP/\$IP/g\" /root/syslog-ng.conf
cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
# stop syslogd
service syslogd onestop || true
# setup sysrc entries to start and set parameters to accept logs from remote subnet
sysrc syslogd_enable=\"NO\"
sysrc syslog_ng_enable=\"YES\"
#sysrc syslog_ng_flags=\"-u daemon\"
sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
/usr/local/etc/rc.d/syslog-ng start
echo \"syslog-ng setup complete\"
else
echo \"/root/syslog-ng.conf is missing?\"
fi
else
echo \"ERROR: There was a problem logging into vault and no certificates were retrieved. Vault not started.\"
fi
# if a copied in haproxy.conf exists, then use that
if [ -f /root/haproxy.conf ]; then
cp -f /root/haproxy.conf /usr/local/etc/haproxy.conf
else
# if no copy-in, create a generic default config file
# note that haproxy crt parameter requires the certificate and key in a single file
# unlike other setups in potluck repository
echo \"global
daemon
maxconn 4096
stats socket /tmp/haproxy.sock level admin
server-state-file /tmp/haproxy.serverstates
description HAProxy
ca-base /mnt/certs
crt-base /mnt/certs
resolvers consul
nameserver consul \$IP:8600
accepted_payload_size 8192
defaults
log global
mode http
option httplog
option socket-stats
load-server-state-from-file global
timeout connect 5s
timeout client 10s
timeout server 10s
frontend stats
bind \$IP:8404
mode http
option forceclose
stats enable
stats uri /
stats show-legends
stats show-desc
stats show-node
stats refresh 5s
frontend www
bind \$PUBLICIP:80
option forwardfor
http-request redirect scheme https unless { ssl_fc }
default_backend webservers
backend webservers
balance roundrobin
server server1 10.0.1.1:443 check maxconn 20 ssl ca-file /mnt/certs/ca.pem crt /mnt/certs/certkey.pem ssl-min-ver TLSv1.2
server server2 10.0.2.1:443 check maxconn 20 ssl ca-file /mnt/certs/ca.pem crt /mnt/certs/certkey.pem ssl-min-ver TLSv1.2
\" > /usr/local/etc/haproxy.conf
fi
# HAProxy setup
service haproxy enable
if [ -f /usr/local/etc/haproxy.conf ]; then
service haproxy start
fi
echo \"You must pass in a haproxy.conf file with all the relevant parameters for your environment.\"
echo \"The default is an example round-robin setup for webservers on 10.27.9.2 and 10.27.9.3 which are hard-coded for now\"
# node exporter needs tls setup
echo \"tls_server_config:
cert_file: /mnt/certs/cert.pem
key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml
# enable node_exporter service
# add node_exporter user
/usr/sbin/pw useradd -n nodeexport -c 'nodeexporter user' -m -s /usr/bin/nologin -h -
# invite node_exporter to certaccess group
/usr/sbin/pw usermod nodeexport -G certaccess
# enable node_exporter service
service node_exporter enable
sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"
sysrc node_exporter_user=nodeexport
sysrc node_exporter_group=nodeexport
# start node_exporter
service node_exporter start
#
# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION
# start services
#
# Do not touch this:
touch /usr/local/etc/pot-is-seasoned
# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
/bin/sh /etc/rc
tail -f /dev/null
fi
" > /usr/local/bin/cook
# ----------------- END COOK ------------------
# ---------- NO NEED TO EDIT BELOW ------------
step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
chmod u+x /usr/local/bin/cook
else
exit_error "there is no /usr/local/bin/cook to make executable"
fi
#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#
# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG
# shellcheck disable=SC2016
echo '#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name="cook"
rcvar="cook_enable"
load_rc_config $name
: ${cook_enable:="NO"}
: ${cook_env:=""}
command="/usr/local/bin/cook"
command_args=""
run_rc_command "$1"
' > /usr/local/etc/rc.d/cook
step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
chmod u+x /usr/local/etc/rc.d/cook
else
exit_error "/usr/local/etc/rc.d/cook does not exist"
fi
if [ "$RUNS_IN_NOMAD" != "true" ]
then
step "Enable cook service"
# This is a non-nomad (non-blocking) jail, so we need to make sure the script
# gets started when the jail is started:
# Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
echo "enabling cook" | tee -a $COOKLOG
service cook enable
fi
# -------------------- DONE ---------------
exit_ok
haproxy/haproxy+1:
haproxy/haproxy+1.sh:
haproxy/haproxy+2:
haproxy/haproxy+2.sh:
haproxy/haproxy+3:
haproxy/haproxy+3.sh:
haproxy/haproxy+4:
haproxy/haproxy+4.sh:
Password:===> Creating a new pot
===> pot name : haproxy-amd64-12_3
===> type : single
===> base : 12.3
===> pot_base :
===> level : 0
===> network-type : public-bridge
===> network-stack: ipv4
===> ip : 10.192.0.5
===> bridge :
===> dns : inherit
===> flavours : fbsd-update haproxy haproxy+1 haproxy+2 haproxy+3 haproxy+4
=====> Creating mountpoint /mnt/srv/pot/jails/haproxy-amd64-12_3/m
=====> Setting mountpoint permission for /mnt/srv/pot/jails/haproxy-amd64-12_3/m
===> Fetching FreeBSD 12.3
===> Extract the tarball
=====> Flavour: fbsd-update
=====> Starting haproxy-amd64-12_3 pot for the initial bootstrap
=====> mount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp
defaultrouter: NO -> 10.192.0.1
===> Starting the pot haproxy-amd64-12_3
Generating host.conf.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:a5:02:f1:3c:0b
inet 10.192.0.5 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Updating motd:.
Updating /var/run/os-release done.
Starting syslogd.
Clearing /tmp (X related).
Starting cron.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Fri Nov 4 23:51:39 UTC 2022
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp/fbsd-update.sh
=====> Executing fbsd-update script on haproxy-amd64-12_3
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 12.3-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 125 patches.....10....20....30....40....50....60....70....80....90....100....110....120.. done.
Applying patches... done.
Fetching 1 files... done.
The following files will be removed as part of updating to
12.3-RELEASE-p8:
/usr/share/zoneinfo/SystemV
The following files will be added as part of updating to
12.3-RELEASE-p8:
/usr/share/zoneinfo/Europe/Kyiv
/usr/share/zoneinfo/GMT
/usr/share/zoneinfo/Pacific/Kanton
The following files will be updated as part of updating to
12.3-RELEASE-p8:
/bin/freebsd-version
/boot/loader
/boot/loader.efi
/boot/loader_4th
/boot/loader_4th.efi
/boot/loader_lua
/boot/loader_lua.efi
/boot/loader_simp
/boot/loader_simp.efi
/boot/pxeboot
/boot/userboot.so
/boot/userboot_4th.so
/boot/userboot_lua.so
/boot/zfsloader
/etc/mtree/BSD.usr.dist
/lib/libalias.so.7
/lib/libcrypto.so.111
/lib/libz.so.6
/rescue/[
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
/rescue/clri
/rescue/cp
/rescue/csh
/rescue/date
/rescue/dd
/rescue/devfs
/rescue/df
/rescue/dhclient
/rescue/disklabel
/rescue/dmesg
/rescue/dump
/rescue/dumpfs
/rescue/dumpon
/rescue/echo
/rescue/ed
/rescue/ex
/rescue/expr
/rescue/fastboot
/rescue/fasthalt
/rescue/fdisk
/rescue/fsck
/rescue/fsck_4.2bsd
/rescue/fsck_ffs
/rescue/fsck_msdosfs
/rescue/fsck_ufs
/rescue/fsdb
/rescue/fsirand
/rescue/gbde
/rescue/geom
/rescue/getfacl
/rescue/glabel
/rescue/gpart
/rescue/groups
/rescue/gunzip
/rescue/gzcat
/rescue/gzip
/rescue/halt
/rescue/head
/rescue/hostname
/rescue/id
/rescue/ifconfig
/rescue/init
/rescue/ipf
/rescue/iscsictl
/rescue/iscsid
/rescue/kenv
/rescue/kill
/rescue/kldconfig
/rescue/kldload
/rescue/kldstat
/rescue/kldunload
/rescue/ldconfig
/rescue/less
/rescue/link
/rescue/ln
/rescue/ls
/rescue/lzcat
/rescue/lzma
/rescue/md5
/rescue/mdconfig
/rescue/mdmfs
/rescue/mkdir
/rescue/mknod
/rescue/more
/rescue/mount
/rescue/mount_cd9660
/rescue/mount_msdosfs
/rescue/mount_nfs
/rescue/mount_nullfs
/rescue/mount_udf
/rescue/mount_unionfs
/rescue/mt
/rescue/mv
/rescue/nc
/rescue/newfs
/rescue/newfs_msdos
/rescue/nos-tun
/rescue/pgrep
/rescue/ping
/rescue/ping6
/rescue/pkill
/rescue/poweroff
/rescue/ps
/rescue/pwd
/rescue/rcorder
/rescue/rdump
/rescue/realpath
/rescue/reboot
/rescue/red
/rescue/rescue
/rescue/restore
/rescue/rm
/rescue/rmdir
/rescue/route
/rescue/routed
/rescue/rrestore
/rescue/rtquery
/rescue/rtsol
/rescue/savecore
/rescue/sed
/rescue/setfacl
/rescue/sh
/rescue/shutdown
/rescue/sleep
/rescue/spppcontrol
/rescue/stty
/rescue/swapon
/rescue/sync
/rescue/sysctl
/rescue/tail
/rescue/tar
/rescue/tcsh
/rescue/tee
/rescue/test
/rescue/tunefs
/rescue/umount
/rescue/unlink
/rescue/unlzma
/rescue/unxz
/rescue/unzstd
/rescue/vi
/rescue/whoami
/rescue/xz
/rescue/xzcat
/rescue/zcat
/rescue/zdb
/rescue/zfs
/rescue/zpool
/rescue/zstd
/rescue/zstdcat
/rescue/zstdmt
/usr/bin/c++
/usr/bin/cc
/usr/bin/clang
/usr/bin/clang++
/usr/bin/clang-cpp
/usr/bin/cpp
/usr/bin/ld.lld
/usr/include/net80211/ieee80211_input.h
/usr/lib/libalias.a
/usr/lib/libalias_p.a
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libz.a
/usr/lib/libz_p.a
/usr/sbin/bhyve
/usr/sbin/freebsd-update
/usr/share/zoneinfo/Africa/Accra
/usr/share/zoneinfo/Africa/Ceuta
/usr/share/zoneinfo/America/Anguilla
/usr/share/zoneinfo/America/Antigua
/usr/share/zoneinfo/America/Aruba
/usr/share/zoneinfo/America/Atikokan
/usr/share/zoneinfo/America/Bahia_Banderas
/usr/share/zoneinfo/America/Barbados
/usr/share/zoneinfo/America/Blanc-Sablon
/usr/share/zoneinfo/America/Boise
/usr/share/zoneinfo/America/Cancun
/usr/share/zoneinfo/America/Chicago
/usr/share/zoneinfo/America/Chihuahua
/usr/share/zoneinfo/America/Coral_Harbour
/usr/share/zoneinfo/America/Creston
/usr/share/zoneinfo/America/Curacao
/usr/share/zoneinfo/America/Denver
/usr/share/zoneinfo/America/Dominica
/usr/share/zoneinfo/America/Ensenada
/usr/share/zoneinfo/America/Fort_Wayne
/usr/share/zoneinfo/America/Grenada
/usr/share/zoneinfo/America/Guadeloupe
/usr/share/zoneinfo/America/Guyana
/usr/share/zoneinfo/America/Hermosillo
/usr/share/zoneinfo/America/Indiana/Indianapolis
/usr/share/zoneinfo/America/Indiana/Knox
/usr/share/zoneinfo/America/Indiana/Marengo
/usr/share/zoneinfo/America/Indiana/Petersburg
/usr/share/zoneinfo/America/Indiana/Tell_City
/usr/share/zoneinfo/America/Indiana/Vevay
/usr/share/zoneinfo/America/Indiana/Vincennes
/usr/share/zoneinfo/America/Indiana/Winamac
/usr/share/zoneinfo/America/Indianapolis
/usr/share/zoneinfo/America/Kentucky/Louisville
/usr/share/zoneinfo/America/Kentucky/Monticello
/usr/share/zoneinfo/America/Knox_IN
/usr/share/zoneinfo/America/Kralendijk
/usr/share/zoneinfo/America/Los_Angeles
/usr/share/zoneinfo/America/Louisville
/usr/share/zoneinfo/America/Lower_Princes
/usr/share/zoneinfo/America/Marigot
/usr/share/zoneinfo/America/Matamoros
/usr/share/zoneinfo/America/Mazatlan
/usr/share/zoneinfo/America/Merida
/usr/share/zoneinfo/America/Mexico_City
/usr/share/zoneinfo/America/Monterrey
/usr/share/zoneinfo/America/Montserrat
/usr/share/zoneinfo/America/Nassau
/usr/share/zoneinfo/America/New_York
/usr/share/zoneinfo/America/Nipigon
/usr/share/zoneinfo/America/North_Dakota/Beulah
/usr/share/zoneinfo/America/North_Dakota/Center
/usr/share/zoneinfo/America/North_Dakota/New_Salem
/usr/share/zoneinfo/America/Ojinaga
/usr/share/zoneinfo/America/Phoenix
/usr/share/zoneinfo/America/Port_of_Spain
/usr/share/zoneinfo/America/Punta_Arenas
/usr/share/zoneinfo/America/Rainy_River
/usr/share/zoneinfo/America/Santa_Isabel
/usr/share/zoneinfo/America/Santiago
/usr/share/zoneinfo/America/Shiprock
/usr/share/zoneinfo/America/St_Barthelemy
/usr/share/zoneinfo/America/St_Kitts
/usr/share/zoneinfo/America/St_Lucia
/usr/share/zoneinfo/America/St_Thomas
/usr/share/zoneinfo/America/St_Vincent
/usr/share/zoneinfo/America/Thunder_Bay
/usr/share/zoneinfo/America/Tijuana
/usr/share/zoneinfo/America/Tortola
/usr/share/zoneinfo/America/Virgin
/usr/share/zoneinfo/Antarctica/DumontDUrville
/usr/share/zoneinfo/Antarctica/Syowa
/usr/share/zoneinfo/Antarctica/Vostok
/usr/share/zoneinfo/Arctic/Longyearbyen
/usr/share/zoneinfo/Asia/Amman
/usr/share/zoneinfo/Asia/Brunei
/usr/share/zoneinfo/Asia/Damascus
/usr/share/zoneinfo/Asia/Gaza
/usr/share/zoneinfo/Asia/Hebron
/usr/share/zoneinfo/Asia/Ho_Chi_Minh
/usr/share/zoneinfo/Asia/Hong_Kong
/usr/share/zoneinfo/Asia/Jakarta
/usr/share/zoneinfo/Asia/Kuala_Lumpur
/usr/share/zoneinfo/Asia/Saigon
/usr/share/zoneinfo/Asia/Tehran
/usr/share/zoneinfo/Atlantic/Azores
/usr/share/zoneinfo/Atlantic/Jan_Mayen
/usr/share/zoneinfo/Atlantic/Madeira
/usr/share/zoneinfo/Atlantic/Reykjavik
/usr/share/zoneinfo/Chile/Continental
/usr/share/zoneinfo/Chile/EasterIsland
/usr/share/zoneinfo/Eire
/usr/share/zoneinfo/Europe/Amsterdam
/usr/share/zoneinfo/Europe/Belfast
/usr/share/zoneinfo/Europe/Copenhagen
/usr/share/zoneinfo/Europe/Dublin
/usr/share/zoneinfo/Europe/Gibraltar
/usr/share/zoneinfo/Europe/Guernsey
/usr/share/zoneinfo/Europe/Isle_of_Man
/usr/share/zoneinfo/Europe/Jersey
/usr/share/zoneinfo/Europe/Kiev
/usr/share/zoneinfo/Europe/Lisbon
/usr/share/zoneinfo/Europe/London
/usr/share/zoneinfo/Europe/Luxembourg
/usr/share/zoneinfo/Europe/Madrid
/usr/share/zoneinfo/Europe/Malta
/usr/share/zoneinfo/Europe/Monaco
/usr/share/zoneinfo/Europe/Oslo
/usr/share/zoneinfo/Europe/Rome
/usr/share/zoneinfo/Europe/San_Marino
/usr/share/zoneinfo/Europe/Simferopol
/usr/share/zoneinfo/Europe/Stockholm
/usr/share/zoneinfo/Europe/Uzhgorod
/usr/share/zoneinfo/Europe/Vatican
/usr/share/zoneinfo/Europe/Zaporozhye
/usr/share/zoneinfo/GB
/usr/share/zoneinfo/GB-Eire
/usr/share/zoneinfo/Hongkong
/usr/share/zoneinfo/Iceland
/usr/share/zoneinfo/Indian/Christmas
/usr/share/zoneinfo/Indian/Cocos
/usr/share/zoneinfo/Indian/Kerguelen
/usr/share/zoneinfo/Indian/Mahe
/usr/share/zoneinfo/Indian/Reunion
/usr/share/zoneinfo/Iran
/usr/share/zoneinfo/Mexico/BajaNorte
/usr/share/zoneinfo/Mexico/BajaSur
/usr/share/zoneinfo/Mexico/General
/usr/share/zoneinfo/Navajo
/usr/share/zoneinfo/Pacific/Chuuk
/usr/share/zoneinfo/Pacific/Easter
/usr/share/zoneinfo/Pacific/Enderbury
/usr/share/zoneinfo/Pacific/Fiji
/usr/share/zoneinfo/Pacific/Funafuti
/usr/share/zoneinfo/Pacific/Majuro
/usr/share/zoneinfo/Pacific/Niue
/usr/share/zoneinfo/Pacific/Pohnpei
/usr/share/zoneinfo/Pacific/Ponape
/usr/share/zoneinfo/Pacific/Rarotonga
/usr/share/zoneinfo/Pacific/Tongatapu
/usr/share/zoneinfo/Pacific/Truk
/usr/share/zoneinfo/Pacific/Wake
/usr/share/zoneinfo/Pacific/Wallis
/usr/share/zoneinfo/Pacific/Yap
/usr/share/zoneinfo/Portugal
/usr/share/zoneinfo/US/Arizona
/usr/share/zoneinfo/US/Central
/usr/share/zoneinfo/US/East-Indiana
/usr/share/zoneinfo/US/Eastern
/usr/share/zoneinfo/US/Indiana-Starke
/usr/share/zoneinfo/US/Mountain
/usr/share/zoneinfo/US/Pacific
/usr/share/zoneinfo/posixrules
/usr/share/zoneinfo/zone.tab
/usr/share/zoneinfo/zone1970.tab
/var/db/etcupdate/current/etc/mtree/BSD.usr.dist
/var/db/etcupdate/log
/var/db/mergemaster.mtree
WARNING: FreeBSD 12.3-RELEASE is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 2 months.
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
done.
=====> Stop the pot haproxy-amd64-12_3
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/dev
=====> Flavour: haproxy
=====> Executing haproxy pot commands on haproxy-amd64-12_3
=====> mount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp
=====> Source /usr/local/etc/pot/flavours/haproxy.d/syslog-ng.conf copied in the pot haproxy-amd64-12_3
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp
=====> /mnt/srv/pot/jails/haproxy-amd64-12_3/m/dev is already unmounted
=====> Starting haproxy-amd64-12_3 pot for the initial bootstrap
=====> mount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===> Starting the pot haproxy-amd64-12_3
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:87:9a:3e:94:0b
inet 10.192.0.5 netmask 0xffc00000 broadcast 10.255.255.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Updating motd:.
Updating /var/run/os-release done.
Starting syslogd.
Clearing /tmp (X related).
Starting cron.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Fri Nov 4 23:52:50 UTC 2022
/usr/local/etc/pot/flavours/haproxy.sh -> /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp/haproxy.sh
=====> Executing haproxy script on haproxy-amd64-12_3
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.18.4...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.18.4: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Create /usr/local/etc/rc.d
Step 6: Install package consul
Updating FreeBSD repository catalogue...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.pkg: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 32396 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
consul: 1.12.4_2
Number of packages to be installed: 1
The process will require 80 MiB more space.
15 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.12.4_2.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.12.4_2...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.12.4_2: ..... done
Step 7: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
node_exporter: 1.3.1_6
Number of packages to be installed: 1
The process will require 11 MiB more space.
3 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.3.1_6.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.3.1_6...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.3.1_6: .......... done
=====
Message from node_exporter-1.3.1_6:
--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 8: Install package haproxy
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
haproxy: 2.6.6
pcre2: 10.40
Number of packages to be installed: 2
The process will require 13 MiB more space.
3 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching pcre2-10.40.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching haproxy-2.6.6.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/2] Installing pcre2-10.40...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting pcre2-10.40: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/2] Installing haproxy-2.6.6...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting haproxy-2.6.6: .......... done
Step 9: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
gettext-runtime: 0.21
indexinfo: 0.3.1
sudo: 1.9.11p3
Number of packages to be installed: 3
The process will require 8 MiB more space.
2 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching indexinfo-0.3.1.pkg: . done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching sudo-1.9.11p3.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching gettext-runtime-0.21.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.11p3...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.11p3: .......... done
Step 10: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 7 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
ca_root_nss: 3.83
curl: 7.85.0
libidn2: 2.3.3
libnghttp2: 1.48.0
libpsl: 0.21.1_4
libssh2: 1.10.0,3
libunistring: 1.0
Number of packages to be installed: 7
The process will require 10 MiB more space.
3 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/7] Fetching libnghttp2-1.48.0.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/7] Fetching libidn2-2.3.3.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/7] Fetching libunistring-1.0.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [4/7] Fetching libssh2-1.10.0,3.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [5/7] Fetching libpsl-0.21.1_4.pkg: ........ done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [6/7] Fetching curl-7.85.0.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [7/7] Fetching ca_root_nss-3.83.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/7] Installing libunistring-1.0...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/7] Extracting libunistring-1.0: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/7] Installing libidn2-2.3.3...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/7] Extracting libidn2-2.3.3: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/7] Installing libnghttp2-1.48.0...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/7] Extracting libnghttp2-1.48.0: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [4/7] Installing libssh2-1.10.0,3...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [4/7] Extracting libssh2-1.10.0,3: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [5/7] Installing libpsl-0.21.1_4...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [5/7] Extracting libpsl-0.21.1_4: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [6/7] Installing ca_root_nss-3.83...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [6/7] Extracting ca_root_nss-3.83: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [7/7] Installing curl-7.85.0...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [7/7] Extracting curl-7.85.0: .......... done
=====
Message from ca_root_nss-3.83:
--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
Step 11: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
jq: 1.6
oniguruma: 6.9.8_1
Number of packages to be installed: 2
The process will require 2 MiB more space.
493 KiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.8_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.8_1...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.8_1: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 12: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
jo: 1.6
Number of packages to be installed: 1
20 KiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching jo-1.6.pkg: ... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Installing jo-1.6...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting jo-1.6: ....... done
Step 13: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vault: 1.8.7_6
Number of packages to be installed: 1
The process will require 118 MiB more space.
24 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.8.7_6.pkg: .......... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.8.7_6...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.8.7_6: ..... done
=====
Message from vault-1.8.7_6:
--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:
pw usermod -L daemon -n vault
or delete the user and reinstall the package.
You may also need to increase memorylocked for the daemon class in
/etc/rc.conf to more than 1024M (the default) or more:
vault_limits_mlock="2048M"
Or to disable mlock, add:
disable_mlock = 1
to /usr/local/etc/vault.hcl
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
e2fsprogs-libuuid: 1.46.5
glib: 2.74.0,2
json-c: 0.16
libffi: 3.4.2
libiconv: 1.17
libxml2: 2.10.3
mpdecimal: 2.5.1
pcre: 8.45_1
python39: 3.9.15
readline: 8.1.2
syslog-ng: 3.38.1
Number of packages to be installed: 11
The process will require 189 MiB more space.
27 MiB to be downloaded.
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching libxml2-2.10.3.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching mpdecimal-2.5.1.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching python39-3.9.15.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching pcre-8.45_1.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.74.0,2.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching syslog-ng-3.38.1.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching libffi-3.4.2.pkg: ...... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching readline-8.1.2.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching libiconv-1.17.pkg: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching json-c-0.16.pkg: ......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching e2fsprogs-libuuid-1.46.5.pkg: ..... done
Checking integrity... done (0 conflicting)
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/11] Installing libffi-3.4.2...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting libffi-3.4.2: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/11] Installing readline-8.1.2...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting readline-8.1.2: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [4/11] Installing libxml2-2.10.3...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting libxml2-2.10.3: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [5/11] Installing python39-3.9.15...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting python39-3.9.15: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [6/11] Installing libiconv-1.17...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting libiconv-1.17: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [7/11] Installing pcre-8.45_1...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting pcre-8.45_1: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [8/11] Installing glib-2.74.0,2...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting glib-2.74.0,2: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.16...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.16: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [10/11] Installing e2fsprogs-libuuid-1.46.5...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting e2fsprogs-libuuid-1.46.5: .......... done
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.38.1...
[haproxy-amd64-12_3.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.38.1: .......... done
Compiling glib schemas
No schema files found: doing nothing.
Generating GIO modules cache
=====
Message from python39-3.9.15:
--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:
py39-gdbm databases/py-gdbm@py39
py39-sqlite3 databases/py-sqlite3@py39
py39-tkinter x11-toolkits/py-tkinter@py39
=====
Message from syslog-ng-3.38.1:
--
syslog-ng is now installed! To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:
1. Create a configuration file named /usr/local/etc/syslog-ng.conf
(a sample named syslog-ng.conf.sample has been included in
/usr/local/etc). Note that this is a change in 2.0.2
version, previous ones put the config file in
/usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
move that file in the right place
2. Configure syslog-ng to start automatically by adding the following
to /etc/rc.conf:
syslog_ng_enable="YES"
3. Prevent the standard FreeBSD syslogd from starting automatically by
adding a line to the end of your /etc/rc.conf file that reads:
syslogd_enable="NO"
4. Shut down the standard FreeBSD syslogd:
kill `cat /var/run/syslog.pid`
5. Start syslog-ng:
/usr/local/etc/rc.d/syslog-ng start
Step 15: Clean package installation
Nothing to do.
Step 16: Remove pre-existing cook script (if any)
Step 17: Create cook script
Step 18: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 19: Create rc.d script to start cook
creating rc.d script to start cook
Step 20: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 21: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====> Stop the pot haproxy-amd64-12_3
=====> Remove epair0[a|b] network interfaces
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/tmp
=====> unmount /mnt/srv/pot/jails/haproxy-amd64-12_3/m/dev
=====> Flavour: haproxy+1
=====> Executing haproxy+1 pot commands on haproxy-amd64-12_3
=====> No shell script available for the flavour haproxy+1
=====> Flavour: haproxy+2
=====> Executing haproxy+2 pot commands on haproxy-amd64-12_3
=====> No shell script available for the flavour haproxy+2
=====> Flavour: haproxy+3
=====> Executing haproxy+3 pot commands on haproxy-amd64-12_3
=====> No shell script available for the flavour haproxy+3
=====> Flavour: haproxy+4
=====> Executing haproxy+4 pot commands on haproxy-amd64-12_3
=====> No shell script available for the flavour haproxy+4