Nomad (Server) TLS

Overview

This is a flavour containing the nomad service orchestrator with TLS encryption. You need a running Vault instance/cluster to make this work.

This flavour is configured as orchestration server. You need one or more nomad client instances that connect to this server and actually run the workload.

Since clients need to run jobs e.g. via pot, you need to install the client directly on a host; therefore you will not find a nomad client flavour on potluck.

Together with consul and the traefik pot flavours on this site, you can easily set up a virtual datacenter.

Please note that a specific network configuration is suggested (see Installation-chapter) as this jail does not work behind the NAT of a public-bridge.

Installation

  • [Optional] Create a ZFS dataset on the parent system beforehand: zfs create -o mountpoint=/mnt/nomad zroot/nomad
  • Create your local jail from the image or the flavour files.
  • [Optional] Mount in the ZFS dataset you created: pot mount-in -p <jailname> -m /mnt -d /mnt/nomad
  • Copy in the SSH private key for the user on the Vault leader: pot copy-in -p <jailname> -s /root/sshkey -d /root/sshkey
  • Create your local jail from the image or the flavour files.
  • This jail does not work with a public bridge, so clone it to use an IP address directly on your host: sudo pot clone -P <nameofimportedjail> -p <clonejailname> -N alias -i "<interface>|<ipaddress>" e.g. sudo pot clone -P nomad-server-amd64-13_2_0_2 -p my-nomad-server -N alias -i "em0|10.10.10.11"
  • Adjust to your environment:
    sudo pot set-env -p <clonejailname> -E DATACENTER=<datacentername> -E NODENAME=<name of this node> -E IP=<IP address of this nomad instance> \
    -E CONSULSERVERS=<'"list", "of", "consul", "IPs"'> \
    -E SFTPUSER=<user> -E SFTPPASS=<password> \
    [-E BOOTSTRAP=<1|3|5>] [-E GOSSIPKEY=<32 byte Base64 key from consul keygen>] [-E NOMADKEY=<16 byte or 32 byte key from nomad operator keygen>] \
    -E VAULTSERVER=<IP of Vault> -E VAULTTOKEN=<token-issued-by-vault> [-E REMOTELOG=<remote syslog IP>]
    [-E DNSFORWARDERS=<none|list of IPs>]
    

The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'

The VAULTSERVER parameter defines the master Vault server to authenticate against, and can be passed in as an IP address.

The VAULTTOKEN parameter is a required valid token from the Vault service.

The BOOTSTRAP parameter defines the expected number of cluster nodes, it defaults to 1 (no cluster) if it is not set. You MUST still pass in a consul IP under CONSULSERVERS.

The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if the parameter is not set, do not use the default key for production encryption, instead provide your own.

The NOMADKEY parameter is the gossip encryption key for nomad. We’re re-using the default key from consul as nomad supports 32 byte Base64 keys, but the common one is a 16 byte Bas64 key from nomad operator keygen

The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki flavour on this site.

The DNSFORWARDERS parameter is a space delimited list of IPs to forward DNS requests to. If set to none or left out, no DNS forwarders are used.

The SFTPUSER and SFTPPASS parameters are for the user on the vault leader in the VAULTSERVER parameter. You need to copy in the id_rsa from there to the host of this image.

Usage

You can connect to the dashboard on port 4646 of your jail IP address.

To run a new job, connect to the jail via pot term <jailname> and run a nomad job description via nomad run -address=http://<jailip>:4646 <jobfile> or place the job via the dashboard.

Getting Started

How To Use The Ready-Made Image

FreeBSD 14.0:
pot import -p nomad-server-tls-amd64-14_0 -t 0.11.1 -U https://potluck.honeyguide.net/nomad-server-tls

With Signify Verification:
fetch https://potluck.honeyguide.net/potluck.pub; pot import -p nomad-server-tls-amd64-14_0 -t 0.11.1 -C potluck.pub -U https://potluck.honeyguide.net/nomad-server-tls

If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P nomad-server-tls-amd64-14_0 -p my-cloned-jail -N alias -i "em0|10.10.10.10"

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Alternatively: Create a Jail With This Flavour Yourself

1. Create Flavour Files

Save all files and directories from https://github.com/hny-gd/potluck/tree/master/nomad-server-tls to /usr/local/etc/pot/flavours/

2. Create Jail From Flavour

Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update

with your FreeBSD version (e.g. 14.0) and the name your jail should get.

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Version History

0.11.1

  • Version bump for FBSD14 base image

0.10.17

  • Make consul-template retry more often

0.10.16

  • Update consul configuration to new version
  • Fix _app label in node-exporter

0.10.15

  • Disable QNAME minimization in unbound (consul can’t handle it)

0.10.14

  • Add new parameter DNSFORWARDERS to allow controlling how unbound is configured
  • Add reseason support to allow restarting grafana with fresh credentials

0.10.13

  • Moving /var/tmp/nomad out the way early in cook script

0.10.12

  • Moving /var/tmp/nomad out the way, if it exists, so it will be re-created on nomad start

0.10.11

  • Set 700 permissions on /var/tmp/nomad else nomad won’t start

0.10.10

  • Version bump for layered images

0.10.9

  • Make consul node_names non-FQDN

0.10.8

  • Fix nomad-client metrics retrieval

0.10.7

  • Major rework of templates, certificate issuing, and token/entity/group/role structure

0.10.6

  • Improve metrics collection

0.10.5

  • Merged PR 26, incrementing version in changelog

0.10.4

  • Dummy entry, missing version increment

0.10.3

  • Dummy entry, missing version increment

0.10.2

  • Dummy entry, missing version increment

0.10.1

  • Incrementing version number after pull request 25

0.10.0

  • Many improvements to service mesh components

0.9.38

  • Rebuild for FreeBSD 12_3 and 13 & pot 13

0.9.37

  • Updating version for merge

0.9.36

  • Fixing missing certs directory

0.9.35

  • Adding syslog-ng back

0.9.34

  • Updating metrics certificate names

0.9.33

  • Adding metrics pki stuff for node_exporter

0.9.32

  • Fixing missing pipes in cook scripts from TTL changes

0.9.31

  • Adding TTL parameter for consul templates

0.9.30

  • Setting version numbers to sync with ini for potman

0.9.23

  • Complete image revamp

0.9.22

  • Setting stricter permissions on key.pem

0.9.21

  • Removing sftppass, unsetting consul sysrc parameters where needed

0.9.20

  • Fixing missing security improvements

0.9.19

  • Updates for security improvements

0.9.18

  • Tweaking mandatory variables for optional parameters

0.9.17

  • Bug-fix on gossip key

0.9.16

  • Implementing mandatory variables

0.9.15

  • Updating for tls-client-validation

0.9.14

  • Turning off flow-control in syslog-ng, setting 120s time_reopen, and reducing log-fifo parameter

0.9.13

  • Clearing syslog-ng /dev/console entries to remove log spam

0.9.12

  • Updates to syslog-ng and standardised cert.pem key.pem ca.pem

0.9.11

  • Implementing syslog-ng with tls for remote logging

0.9.10

  • Switched to quarterly package sources

0.9.9

  • Adding optional logging to remote syslog server

0.9.8

  • Node-exporter TLS

0.9.7

  • Telemetry improvements

0.9.6

  • Reload consul on cert update

0.9.5

  • Fixing cron job for cert rotation

0.9.4

  • Updating for pkg vault

0.9.3

  • Third bash nomad-server with certificates and TLS, using vault for certificate rotation

0.9.2

  • Second bash nomad-server with certificates and TLS

0.9.1

  • First bash nomad-server with certificates and TLS

0.9

  • Initial commit

These images were built on Mon Mar 18 19:23:55 UTC 2024

Manual Image Download Links

nomad-server-tls-amd64-14_0_0.11.1.xz ( )
nomad-server-tls-amd64-14_0_0.11.1.xz.skein ( ) nomad-server-tls-amd64-14_0_0.11.1.xz.skein.sig ( ) nomad-server-tls-amd64-14_0_0.11.1.xz.meta ( )

Jenkins Pot Creation Logs

nomad-server-tls-amd64-14_0_0.11.1:


nomad-server-tls/nomad-server-tls:
copy-in -s /usr/local/etc/pot/flavours/nomad-server-tls.d/local -d /root/.pot_local
nomad-server-tls/nomad-server-tls.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad
# (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script
# is installed appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(("$STEPCOUNT" + 1))
  STEP="$*"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$*"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# only modify repo if not already done in base image
# shellcheck disable=SC2016
test -e /usr/local/etc/pkg/repos/FreeBSD.conf || \
  echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
    >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
# shellcheck disable=SC2015
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Disable sshd"
service sshd onedisable || true

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package nomad"
pkg install -y nomad

step "Install package sudo"
pkg install -y sudo

step "Install package jq"
pkg install -y jq

step "Install package jo"
pkg install -y jo

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package curl"
pkg install -y curl

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package nginx"
pkg install -y nginx

step "Install package vault"
pkg install -y vault

step "Add vault user to daemon class"
pw usermod vault -G daemon

step "Install package consul-template"
pkg install -y consul-template

step "Clean package installation"
pkg autoremove -y
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# this runs when image boots

# ----------------- BEGIN COOK ------------------

step "Clean cook artifacts"
rm -rf /usr/local/bin/cook /usr/local/share/cook

step "Install pot local"
tar -C /root/.pot_local -cf - . | tar -C /usr/local -xf -
rm -rf /root/.pot_local

step "Set file ownership on cook scripts"
chown -R root:wheel /usr/local/bin/cook /usr/local/share/cook
chmod 755 /usr/local/share/cook/bin/*

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

# shellcheck disable=SC2016
echo '#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name="cook"
rcvar="cook_enable"
load_rc_config $name
: ${cook_enable:="NO"}
: ${cook_env:=""}
command="/usr/local/bin/cook"
command_args=""
run_rc_command "$1"
' > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot
  # flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

nomad-server-tls/nomad-server-tls+1:
nomad-server-tls/nomad-server-tls+1.sh:

nomad-server-tls/nomad-server-tls+2:
nomad-server-tls/nomad-server-tls+2.sh:

nomad-server-tls/nomad-server-tls+3:
nomad-server-tls/nomad-server-tls+3.sh:

nomad-server-tls/nomad-server-tls+4:
nomad-server-tls/nomad-server-tls+4.sh:
=====>  Create conf dir (/mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/conf)
=====>  Cloning freebsd-potluck-amd64-14_0_0_0_22 with snap 
=====>  clone zroot/srv/pot/jails/freebsd-potluck-amd64-14_0_0_0_22/m@1709457007 into zroot/srv/pot/jails/nomad-server-tls-amd64-14_0/m
=====>  Flavour: fbsd-update
=====>  Starting nomad-server-tls-amd64-14_0 pot for the initial bootstrap
=====>  mount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot nomad-server-tls-amd64-14_0
=====>  Pot nomad-server-tls-amd64-14_0 jail params are: allow.set_hostname=false allow.raw_sockets allow.socket_af allow.chflags exec.clean mount.devfs enforce_statfs=2 sysvshm=new sysvsem=new sysvmsg=new children.max=0 devfs_ruleset=4 stop.timeout=10 name=nomad-server-tls-amd64-14_0 host.hostname=nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net osrelease=14.0-RELEASE-p5 path=/mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m persist vnet vnet.interface=epair0b
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:93:a7:df:c0:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Clearing /tmp (X related).
Updating /var/run/os-release done.
Creating and/or trimming log files.
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting cron.

Mon Mar 18 19:19:32 UTC 2024
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on nomad-server-tls-amd64-14_0
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 14.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 14.0-RELEASE-p5.
No updates are available to install.
=====>  Stop the pot nomad-server-tls-amd64-14_0
=====>  Remove p465f893c0df2f epair network interfaces
=====>  unmount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp
=====>  unmount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/dev
=====>  Flavour: nomad-server-tls
=====>  Executing nomad-server-tls pot commands on nomad-server-tls-amd64-14_0
=====>  mount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp
=====>  Source /usr/local/etc/pot/flavours/nomad-server-tls.d/local copied in the pot nomad-server-tls-amd64-14_0
=====>  unmount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp
=====>  /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/dev is already unmounted
=====>  Starting nomad-server-tls-amd64-14_0 pot for the initial bootstrap
=====>  mount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot nomad-server-tls-amd64-14_0
=====>  Pot nomad-server-tls-amd64-14_0 jail params are: allow.set_hostname=false allow.raw_sockets allow.socket_af allow.chflags exec.clean mount.devfs enforce_statfs=2 sysvshm=new sysvsem=new sysvmsg=new children.max=0 devfs_ruleset=4 stop.timeout=10 name=nomad-server-tls-amd64-14_0 host.hostname=nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net osrelease=14.0-RELEASE-p5 path=/mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m persist vnet vnet.interface=epair0b
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ba:bb:ff:ab:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Clearing /tmp (X related).
Updating /var/run/os-release done.
Creating and/or trimming log files.
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting cron.

Mon Mar 18 19:20:16 UTC 2024
/usr/local/etc/pot/flavours/nomad-server-tls.sh -> /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp/nomad-server-tls.sh
=====>  Executing nomad-server-tls script on nomad-server-tls-amd64-14_0
WARNING /var/log/cook.log already exists
Step 1: Bootstrap package repo
pkg already bootstrapped at /usr/local/sbin/pkg
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Disable sshd
sshd disabled in /etc/rc.conf
Step 6: Create /usr/local/etc/rc.d
Step 7: Install package consul
Updating FreeBSD repository catalogue...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.pkg: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 33718 packages processed.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.17.1_1

Number of packages to be installed: 1

The process will require 118 MiB more space.
23 MiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.17.1_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.17.1_1...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.17.1_1: ..... done
Step 8: Install package nomad
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	nomad: 1.6.2_2

Number of packages to be installed: 1

The process will require 65 MiB more space.
17 MiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching nomad-1.6.2_2.pkg: .......... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing nomad-1.6.2_2...
===> Creating groups.
Creating group 'nomad' with gid '472'.
===> Creating users
Creating user 'nomad' with uid '472'.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting nomad-1.6.2_2: ........ done
Step 9: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 10: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 11: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 12: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.6.1_1

Number of packages to be installed: 1

The process will require 11 MiB more space.
4 MiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.6.1_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.6.1_1...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.6.1_1: .......... done
=====
Message from node_exporter-1.6.1_1:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 13: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 10 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.47.0
	glib: 2.78.3,2
	ivykis: 0.42.4_1
	json-c: 0.17
	libffi: 3.4.4
	libxml2: 2.10.4_2
	mpdecimal: 2.5.1
	pcre2: 10.42
	python39: 3.9.18
	syslog-ng: 4.4.0

Number of packages to be installed: 10

The process will require 165 MiB more space.
26 MiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/10] Fetching ivykis-0.42.4_1.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [2/10] Fetching libxml2-2.10.4_2.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [3/10] Fetching mpdecimal-2.5.1.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [4/10] Fetching python39-3.9.18.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [5/10] Fetching glib-2.78.3,2.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [6/10] Fetching syslog-ng-4.4.0.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [7/10] Fetching pcre2-10.42.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [8/10] Fetching libffi-3.4.4.pkg: ........ done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [9/10] Fetching json-c-0.17.pkg: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [10/10] Fetching e2fsprogs-libuuid-1.47.0.pkg: ....... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/10] Installing mpdecimal-2.5.1...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/10] Extracting mpdecimal-2.5.1: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [2/10] Installing libffi-3.4.4...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [2/10] Extracting libffi-3.4.4: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [3/10] Installing libxml2-2.10.4_2...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [3/10] Extracting libxml2-2.10.4_2: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [4/10] Installing python39-3.9.18...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [4/10] Extracting python39-3.9.18: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [5/10] Installing pcre2-10.42...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [5/10] Extracting pcre2-10.42: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [6/10] Installing ivykis-0.42.4_1...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [6/10] Extracting ivykis-0.42.4_1: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [7/10] Installing glib-2.78.3,2...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [7/10] Extracting glib-2.78.3,2: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [8/10] Installing json-c-0.17...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [8/10] Extracting json-c-0.17: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [9/10] Installing e2fsprogs-libuuid-1.47.0...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [9/10] Extracting e2fsprogs-libuuid-1.47.0: .......... done
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [10/10] Installing syslog-ng-4.4.0...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [10/10] Extracting syslog-ng-4.4.0: .......... done
==> Running trigger: gio-modules.ucl
Generating GIO modules cache
==> Running trigger: glib-schemas.ucl
Compiling glib schemas
No schema files found: doing nothing.
=====
Message from python39-3.9.18:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py39-gdbm       databases/py-gdbm@py39
py39-sqlite3    databases/py-sqlite3@py39
py39-tkinter    x11-toolkits/py-tkinter@py39
=====
Message from syslog-ng-4.4.0:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 15: Install package nginx
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	nginx: 1.24.0_14,3

Number of packages to be installed: 1

The process will require 1 MiB more space.
492 KiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching nginx-1.24.0_14,3.pkg: .......... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing nginx-1.24.0_14,3...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting nginx-1.24.0_14,3: .......... done
=====
Message from nginx-1.24.0_14,3:

--
Recent version of the NGINX introduces dynamic modules support.  In
FreeBSD ports tree this feature was enabled by default with the DSO
knob.  Several vendor's and third-party modules have been converted
to dynamic modules.  Unset the DSO knob builds an NGINX without
dynamic modules support.

To load a module at runtime, include the new `load_module'
directive in the main context, specifying the path to the shared
object file for the module, enclosed in quotation marks.  When you
reload the configuration or restart NGINX, the module is loaded in.
It is possible to specify a path relative to the source directory,
or a full path, please see
https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/ and
http://nginx.org/en/docs/ngx_core_module.html#load_module for
details.

Default path for the NGINX dynamic modules is

/usr/local/libexec/nginx.
Step 16: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.14.1_1

Number of packages to be installed: 1

The process will require 179 MiB more space.
37 MiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.14.1_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.14.1_1...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.14.1_1: ..... done
=====
Message from vault-1.14.1_1:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/rc.conf to more than 1024M (the default) or more:

vault_limits_mlock="2048M"

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 17: Add vault user to daemon class
Step 18: Install package consul-template
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul-template: 0.36.0

Number of packages to be installed: 1

The process will require 12 MiB more space.
4 MiB to be downloaded.
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-template-0.36.0.pkg: .......... done
Checking integrity... done (0 conflicting)
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-template-0.36.0...
[nomad-server-tls-amd64-14_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-template-0.36.0: ..... done
Step 19: Clean package installation
Checking integrity... done (0 conflicting)
Nothing to do.
Nothing to do.
Step 20: Clean cook artifacts
Step 21: Install pot local
Step 22: Set file ownership on cook scripts
Step 23: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 24: Create rc.d script to start cook
creating rc.d script to start cook
Step 25: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 26: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot nomad-server-tls-amd64-14_0
=====>  Remove p465f893efdf2f epair network interfaces
=====>  unmount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/tmp
=====>  unmount /mnt/srv/pot/jails/nomad-server-tls-amd64-14_0/m/dev
===>  exporting nomad-server-tls-amd64-14_0 @ 1710789691 to /tmp/nomad-server-tls-amd64-14_0_0.11.1.xz
xz: Reduced the number of threads from 4 to 3 to not exceed the memory usage limit of 503 MiB

This site © Honeyguide Group (Pty) Ltd, all the hosted software their respective license owners 2020 - 2021 - Disclaimer