diff options
Diffstat (limited to 'systemd')
| -rw-r--r-- | systemd/ceph-mon.target | 11 | ||||
| -rw-r--r-- | systemd/ceph-mon@.service | 31 | ||||
| -rw-r--r-- | systemd/ceph-osd.target | 11 | ||||
| -rw-r--r-- | systemd/ceph-osd@.service | 31 | ||||
| -rw-r--r-- | systemd/cluster-detect.service | 33 | ||||
| -rw-r--r-- | systemd/containerd.service | 31 | ||||
| -rw-r--r-- | systemd/coredns.service | 31 | ||||
| -rw-r--r-- | systemd/dns.target | 10 | ||||
| -rw-r--r-- | systemd/etcd.service | 45 | ||||
| -rw-r--r-- | systemd/kafka.service | 34 | ||||
| -rw-r--r-- | systemd/kafka.target | 10 | ||||
| -rw-r--r-- | systemd/kube-apiserver.service | 46 | ||||
| -rw-r--r-- | systemd/kube-controller-manager.service | 33 | ||||
| -rw-r--r-- | systemd/kube-scheduler.service | 20 | ||||
| -rw-r--r-- | systemd/kubelet.service | 29 | ||||
| -rw-r--r-- | systemd/kubernetes-master.target | 16 | ||||
| -rw-r--r-- | systemd/kubernetes-worker.target | 12 | ||||
| -rw-r--r-- | systemd/mosquitto.service | 28 | ||||
| -rw-r--r-- | systemd/mqtt.target | 10 |
19 files changed, 472 insertions, 0 deletions
diff --git a/systemd/ceph-mon.target b/systemd/ceph-mon.target new file mode 100644 index 0000000..9697b9b --- /dev/null +++ b/systemd/ceph-mon.target @@ -0,0 +1,11 @@ +[Unit] +Description=Ceph Monitor Node +Documentation=https://docs.ceph.com/ +Requires=network-online.target +After=network-online.target cluster-detect.service + +# Ceph monitor service (instance will be determined by node name) +Wants=ceph-mon@.service + +[Install] +WantedBy=multi-user.target diff --git a/systemd/ceph-mon@.service b/systemd/ceph-mon@.service new file mode 100644 index 0000000..ac471ec --- /dev/null +++ b/systemd/ceph-mon@.service @@ -0,0 +1,31 @@ +[Unit] +Description=Ceph Monitor daemon (mon.%i) +Documentation=https://docs.ceph.com/ +PartOf=ceph-mon.target +After=network-online.target local-fs.target time-sync.target cluster-detect.service +Wants=network-online.target local-fs.target time-sync.target + +[Service] +Type=notify +EnvironmentFile=/etc/cluster-config/environment/ceph.env +ExecStartPre=/usr/local/bin/ceph-mon-init.sh %i +ExecStart=/usr/bin/ceph-mon -f --cluster ceph --id %i --setuser ceph --setgroup ceph +ExecReload=/bin/kill -HUP $MAINPID + +# Resource management +LimitNOFILE=1048576 +LimitNPROC=1048576 + +Restart=on-failure +RestartSec=10 +StartLimitInterval=30min +StartLimitBurst=3 + +# Security +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=full +PrivateTmp=true + +[Install] +WantedBy=ceph-mon.target diff --git a/systemd/ceph-osd.target b/systemd/ceph-osd.target new file mode 100644 index 0000000..79c5353 --- /dev/null +++ b/systemd/ceph-osd.target @@ -0,0 +1,11 @@ +[Unit] +Description=Ceph OSD Node +Documentation=https://docs.ceph.com/ +Requires=network-online.target +After=network-online.target cluster-detect.service + +# OSD services will be started per-device +# Wants=ceph-osd@0.service (dynamically added based on node config) + +[Install] +WantedBy=multi-user.target diff --git a/systemd/ceph-osd@.service b/systemd/ceph-osd@.service new file mode 100644 index 0000000..27c52e3 --- /dev/null +++ b/systemd/ceph-osd@.service @@ -0,0 +1,31 @@ +[Unit] +Description=Ceph OSD daemon (osd.%i) +Documentation=https://docs.ceph.com/ +PartOf=ceph-osd.target +After=network-online.target local-fs.target time-sync.target cluster-detect.service +Wants=network-online.target local-fs.target time-sync.target + +[Service] +Type=notify +EnvironmentFile=/etc/cluster-config/environment/ceph.env +ExecStartPre=/usr/local/bin/ceph-osd-init.sh %i +ExecStart=/usr/bin/ceph-osd -f --cluster ceph --id %i --setuser ceph --setgroup ceph +ExecStartPost=/usr/bin/ceph osd crush create-or-move -- %i ${OSD_WEIGHT} root=default host=$(hostname -s) + +# Resource management +LimitNOFILE=1048576 +LimitNPROC=1048576 + +Restart=on-failure +RestartSec=10 +StartLimitInterval=30min +StartLimitBurst=5 + +# Security +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=full +PrivateTmp=true + +[Install] +WantedBy=ceph-osd.target diff --git a/systemd/cluster-detect.service b/systemd/cluster-detect.service new file mode 100644 index 0000000..b9d85c4 --- /dev/null +++ b/systemd/cluster-detect.service @@ -0,0 +1,33 @@ +[Unit] +Description=Cluster Node Identity Detection +Documentation=man:cluster-detect(8) +# Must run very early, before any cluster services +DefaultDependencies=no +After=local-fs.target +Before=network-pre.target sysinit.target +Wants=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes + +# Configuration directory (will be /etc/cluster-config on installed system) +Environment=CONFIG_DIR=/etc/cluster-config + +ExecStart=/usr/local/bin/cluster-detect.sh + +# Logging +StandardOutput=journal +StandardError=journal +SyslogIdentifier=cluster-detect + +# Security hardening +# (Relaxed for now since it needs to modify /etc/cluster-config) +NoNewPrivileges=true +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true + +[Install] +WantedBy=sysinit.target diff --git a/systemd/containerd.service b/systemd/containerd.service new file mode 100644 index 0000000..6d31694 --- /dev/null +++ b/systemd/containerd.service @@ -0,0 +1,31 @@ +[Unit] +Description=containerd container runtime +Documentation=https://containerd.io +After=network.target local-fs.target + +[Service] +Type=notify +ExecStartPre=-/sbin/modprobe overlay +ExecStart=/usr/bin/containerd + +Restart=always +RestartSec=5 + +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNPROC=infinity +LimitCORE=infinity +LimitNOFILE=infinity + +# Comment TasksMax if your systemd version does not support it. +# Only systemd 226 and above support this option. +TasksMax=infinity + +# Set delegate yes so that systemd does not reset the cgroups of docker containers +Delegate=yes + +# Kill only the containerd process, not all processes in the cgroup +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/systemd/coredns.service b/systemd/coredns.service new file mode 100644 index 0000000..5bb725d --- /dev/null +++ b/systemd/coredns.service @@ -0,0 +1,31 @@ +[Unit] +Description=CoreDNS DNS server +Documentation=https://coredns.io/manual/toc/ +After=network-online.target kubernetes-master.target cluster-detect.service +Wants=network-online.target + +[Service] +Type=simple +User=coredns +Group=coredns +EnvironmentFile=/etc/cluster-config/environment/coredns.env +ExecStartPre=/usr/local/bin/coredns-config-generator.sh +ExecStart=/usr/bin/coredns -conf /etc/coredns/Corefile +ExecReload=/bin/kill -SIGUSR1 $MAINPID + +Restart=always +RestartSec=5 + +# Security +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=strict +ReadWritePaths=/var/lib/coredns +PrivateTmp=true + +LimitNOFILE=8192 + +[Install] +WantedBy=dns.target diff --git a/systemd/dns.target b/systemd/dns.target new file mode 100644 index 0000000..37c874f --- /dev/null +++ b/systemd/dns.target @@ -0,0 +1,10 @@ +[Unit] +Description=Cluster DNS Server +Documentation=https://coredns.io/ +Requires=network-online.target +After=network-online.target cluster-detect.service kubernetes-master.target + +Wants=coredns.service + +[Install] +WantedBy=multi-user.target diff --git a/systemd/etcd.service b/systemd/etcd.service new file mode 100644 index 0000000..831d3eb --- /dev/null +++ b/systemd/etcd.service @@ -0,0 +1,45 @@ +[Unit] +Description=etcd key-value store +Documentation=https://etcd.io/docs/ +After=network.target cluster-detect.service +Before=kube-apiserver.service + +[Service] +Type=notify +EnvironmentFile=/etc/cluster-config/environment/etcd.env +ExecStartPre=/usr/local/bin/etcd-config-generator.sh +ExecStart=/usr/bin/etcd \ + --name=${ETCD_NAME} \ + --data-dir=/var/lib/etcd \ + --listen-client-urls=https://${NODE_IP}:2379,https://127.0.0.1:2379 \ + --advertise-client-urls=https://${NODE_IP}:2379 \ + --listen-peer-urls=https://${NODE_IP}:2380 \ + --initial-advertise-peer-urls=https://${NODE_IP}:2380 \ + --initial-cluster=${ETCD_INITIAL_CLUSTER} \ + --initial-cluster-token=etcd-cluster \ + --initial-cluster-state=new \ + --cert-file=/etc/kubernetes/pki/etcd/server.crt \ + --key-file=/etc/kubernetes/pki/etcd/server.key \ + --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt \ + --peer-key-file=/etc/kubernetes/pki/etcd/peer.key \ + --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \ + --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \ + --peer-client-cert-auth \ + --client-cert-auth \ + --snapshot-count=10000 \ + --heartbeat-interval=100 \ + --election-timeout=1000 + +Restart=always +RestartSec=10 + +# Security +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=strict +ReadWritePaths=/var/lib/etcd + +LimitNOFILE=65536 + +[Install] +WantedBy=kubernetes-master.target diff --git a/systemd/kafka.service b/systemd/kafka.service new file mode 100644 index 0000000..c6fe3e9 --- /dev/null +++ b/systemd/kafka.service @@ -0,0 +1,34 @@ +[Unit] +Description=Apache Kafka Broker (KRaft mode) +Documentation=https://kafka.apache.org/documentation/ +After=network-online.target cluster-detect.service +Wants=network-online.target + +[Service] +Type=simple +User=kafka +Group=kafka +EnvironmentFile=/etc/cluster-config/environment/kafka.env +Environment="KAFKA_HEAP_OPTS=-Xmx2G -Xms2G" +Environment="KAFKA_JVM_PERFORMANCE_OPTS=-XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:G1HeapRegionSize=16M -XX:MinMetaspaceFreeRatio=50 -XX:MaxMetaspaceFreeRatio=80" + +ExecStartPre=/usr/local/bin/kafka-config-generator.sh +ExecStart=/opt/kafka/bin/kafka-server-start.sh /var/lib/kafka/server.properties + +# Graceful shutdown +TimeoutStopSec=180 +SuccessExitStatus=143 + +Restart=always +RestartSec=10 + +# Security +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=strict +ReadWritePaths=/var/lib/kafka /var/log/kafka + +LimitNOFILE=100000 + +[Install] +WantedBy=kafka.target diff --git a/systemd/kafka.target b/systemd/kafka.target new file mode 100644 index 0000000..ea8eb43 --- /dev/null +++ b/systemd/kafka.target @@ -0,0 +1,10 @@ +[Unit] +Description=Apache Kafka Broker +Documentation=https://kafka.apache.org/documentation/ +Requires=network-online.target +After=network-online.target cluster-detect.service + +Wants=kafka.service + +[Install] +WantedBy=multi-user.target diff --git a/systemd/kube-apiserver.service b/systemd/kube-apiserver.service new file mode 100644 index 0000000..7e4f2c6 --- /dev/null +++ b/systemd/kube-apiserver.service @@ -0,0 +1,46 @@ +[Unit] +Description=Kubernetes API Server +Documentation=https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ +After=network.target etcd.service cluster-detect.service +Wants=etcd.service + +[Service] +Type=notify +EnvironmentFile=/etc/cluster-config/environment/kube-apiserver.env +ExecStartPre=/usr/local/bin/kube-apiserver-config-generator.sh +ExecStart=/usr/bin/kube-apiserver \ + --advertise-address=${NODE_IP} \ + --allow-privileged=true \ + --authorization-mode=Node,RBAC \ + --client-ca-file=/etc/kubernetes/pki/ca.crt \ + --enable-admission-plugins=NodeRestriction \ + --enable-bootstrap-token-auth=true \ + --etcd-servers=https://127.0.0.1:2379 \ + --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt \ + --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt \ + --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key \ + --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt \ + --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key \ + --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \ + --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt \ + --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key \ + --requestheader-allowed-names=front-proxy-client \ + --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt \ + --requestheader-extra-headers-prefix=X-Remote-Extra- \ + --requestheader-group-headers=X-Remote-Group \ + --requestheader-username-headers=X-Remote-User \ + --secure-port=6443 \ + --service-account-issuer=https://kubernetes.default.svc.cluster.local \ + --service-account-key-file=/etc/kubernetes/pki/sa.pub \ + --service-account-signing-key-file=/etc/kubernetes/pki/sa.key \ + --service-cluster-ip-range=${SERVICE_CIDR} \ + --tls-cert-file=/etc/kubernetes/pki/apiserver.crt \ + --tls-private-key-file=/etc/kubernetes/pki/apiserver.key + +Restart=always +RestartSec=10 + +LimitNOFILE=65536 + +[Install] +WantedBy=kubernetes-master.target diff --git a/systemd/kube-controller-manager.service b/systemd/kube-controller-manager.service new file mode 100644 index 0000000..d3a54ed --- /dev/null +++ b/systemd/kube-controller-manager.service @@ -0,0 +1,33 @@ +[Unit] +Description=Kubernetes Controller Manager +Documentation=https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ +After=kube-apiserver.service +Wants=kube-apiserver.service + +[Service] +Type=notify +EnvironmentFile=/etc/cluster-config/environment/kube-controller-manager.env +ExecStart=/usr/bin/kube-controller-manager \ + --allocate-node-cidrs=true \ + --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf \ + --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf \ + --bind-address=127.0.0.1 \ + --client-ca-file=/etc/kubernetes/pki/ca.crt \ + --cluster-cidr=${POD_CIDR} \ + --cluster-name=kubernetes \ + --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt \ + --cluster-signing-key-file=/etc/kubernetes/pki/ca.key \ + --controllers=*,bootstrapsigner,tokencleaner \ + --kubeconfig=/etc/kubernetes/controller-manager.conf \ + --leader-elect=true \ + --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt \ + --root-ca-file=/etc/kubernetes/pki/ca.crt \ + --service-account-private-key-file=/etc/kubernetes/pki/sa.key \ + --service-cluster-ip-range=${SERVICE_CIDR} \ + --use-service-account-credentials=true + +Restart=always +RestartSec=10 + +[Install] +WantedBy=kubernetes-master.target diff --git a/systemd/kube-scheduler.service b/systemd/kube-scheduler.service new file mode 100644 index 0000000..d2c575c --- /dev/null +++ b/systemd/kube-scheduler.service @@ -0,0 +1,20 @@ +[Unit] +Description=Kubernetes Scheduler +Documentation=https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/ +After=kube-apiserver.service +Wants=kube-apiserver.service + +[Service] +Type=notify +ExecStart=/usr/bin/kube-scheduler \ + --authentication-kubeconfig=/etc/kubernetes/scheduler.conf \ + --authorization-kubeconfig=/etc/kubernetes/scheduler.conf \ + --bind-address=127.0.0.1 \ + --kubeconfig=/etc/kubernetes/scheduler.conf \ + --leader-elect=true + +Restart=always +RestartSec=10 + +[Install] +WantedBy=kubernetes-master.target diff --git a/systemd/kubelet.service b/systemd/kubelet.service new file mode 100644 index 0000000..46be849 --- /dev/null +++ b/systemd/kubelet.service @@ -0,0 +1,29 @@ +[Unit] +Description=Kubernetes Kubelet +Documentation=https://kubernetes.io/docs/concepts/overview/components/#kubelet +After=containerd.service network-online.target cluster-detect.service +Requires=containerd.service +Wants=network-online.target + +[Service] +Type=notify +EnvironmentFile=/etc/cluster-config/environment/kubelet.env +ExecStartPre=/usr/local/bin/kubelet-config-generator.sh +ExecStart=/usr/bin/kubelet \ + --config=/var/lib/kubelet/config.yaml \ + --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ + --kubeconfig=/etc/kubernetes/kubelet.conf \ + --node-ip=${NODE_IP} + +Restart=always +RestartSec=10 + +# Resource limits +LimitNOFILE=65536 +LimitNPROC=4096 + +# Security +NoNewPrivileges=false + +[Install] +WantedBy=kubernetes-master.target kubernetes-worker.target diff --git a/systemd/kubernetes-master.target b/systemd/kubernetes-master.target new file mode 100644 index 0000000..ebb024d --- /dev/null +++ b/systemd/kubernetes-master.target @@ -0,0 +1,16 @@ +[Unit] +Description=Kubernetes Master/Control Plane Node +Documentation=https://kubernetes.io/docs/ +Requires=network-online.target +After=network-online.target cluster-detect.service +Wants=containerd.service + +# Master components +Wants=kubelet.service +Wants=kube-apiserver.service +Wants=kube-controller-manager.service +Wants=kube-scheduler.service +Wants=etcd.service + +[Install] +WantedBy=multi-user.target diff --git a/systemd/kubernetes-worker.target b/systemd/kubernetes-worker.target new file mode 100644 index 0000000..59ccefc --- /dev/null +++ b/systemd/kubernetes-worker.target @@ -0,0 +1,12 @@ +[Unit] +Description=Kubernetes Worker Node +Documentation=https://kubernetes.io/docs/ +Requires=network-online.target +After=network-online.target cluster-detect.service +Wants=containerd.service + +# Worker components +Wants=kubelet.service + +[Install] +WantedBy=multi-user.target diff --git a/systemd/mosquitto.service b/systemd/mosquitto.service new file mode 100644 index 0000000..2eff1d4 --- /dev/null +++ b/systemd/mosquitto.service @@ -0,0 +1,28 @@ +[Unit] +Description=Mosquitto MQTT Broker +Documentation=man:mosquitto.conf(5) man:mosquitto(8) +After=network-online.target cluster-detect.service +Wants=network-online.target + +[Service] +Type=notify +NotifyAccess=main +User=mosquitto +Group=mosquitto +EnvironmentFile=/etc/cluster-config/environment/mqtt.env +ExecStartPre=/usr/local/bin/mosquitto-config-generator.sh +ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf +ExecReload=/bin/kill -HUP $MAINPID + +Restart=always +RestartSec=5 + +# Security +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=strict +ReadWritePaths=/var/lib/mosquitto +PrivateTmp=true + +[Install] +WantedBy=mqtt.target diff --git a/systemd/mqtt.target b/systemd/mqtt.target new file mode 100644 index 0000000..6396402 --- /dev/null +++ b/systemd/mqtt.target @@ -0,0 +1,10 @@ +[Unit] +Description=MQTT Message Broker +Documentation=https://mosquitto.org/ +Requires=network-online.target +After=network-online.target cluster-detect.service + +Wants=mosquitto.service + +[Install] +WantedBy=multi-user.target |