coren has uploaded a new change for review.
https://gerrit.wikimedia.org/r/135445
Change subject: Labs: puppetize replica-addusers
......................................................................
Labs: puppetize replica-addusers
(It's installed by hand right now)
Change-Id: Id3ff318f3e7e8b226b9ba08faff3bf05b6a1d845
---
M manifests/openstack.pp
M manifests/site.pp
A modules/generic/files/upstart/replica-addusers.conf
A modules/openstack/files/replica-addusers.pl
4 files changed, 187 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/45/135445/1
diff --git a/manifests/openstack.pp b/manifests/openstack.pp
index 743a197..1548a18 100644
--- a/manifests/openstack.pp
+++ b/manifests/openstack.pp
@@ -163,6 +163,25 @@
}
}
+class openstack::replica-management-service {
+
+ file { '/usr/local/sbin/replica-addusers.pl':
+ source => 'puppet:///files/openstack/replica-addusers.pl';
+ owner => 'root',
+ group => 'root',
+ mode => '0550',
+ }
+
+ generic::upstart_job{ 'replica-addusers':
+ install => true,
+ start => false,
+ require => File['/usr/local/sbin/replica-addusers.pl'],
+ }
+
+ # There is no service {} stanza on purpose -- this service
+ # must *only* be started by a manual operation
+}
+
class openstack::project-nfs-storage-service {
generic::upstart_job{ "manage-nfs-volumes":
install => true,
diff --git a/manifests/site.pp b/manifests/site.pp
index f974c69..21d4aab 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1444,6 +1444,7 @@
include standard
include openstack::project-nfs-storage-service
+ include openstack::replica-management-service
include rsync::server
rsync::server::module {
diff --git a/modules/generic/files/upstart/replica-addusers.conf
b/modules/generic/files/upstart/replica-addusers.conf
new file mode 100644
index 0000000..5bcaf61
--- /dev/null
+++ b/modules/generic/files/upstart/replica-addusers.conf
@@ -0,0 +1,8 @@
+description "Keep replication DB credentials in sync"
+
+# Started manually in start-nfs
+stop on stopping network-services
+
+respawn
+
+exec /usr/local/sbin/replica-addusers.pl
diff --git a/modules/openstack/files/replica-addusers.pl
b/modules/openstack/files/replica-addusers.pl
new file mode 100755
index 0000000..21f5b66
--- /dev/null
+++ b/modules/openstack/files/replica-addusers.pl
@@ -0,0 +1,159 @@
+#! /usr/bin/perl
+#
+# Copyright © 2013 Marc-André Pelletier <mpellet...@wikimedia.org>
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+# THIS FILE IS MANAGED BY PUPPET
+#
+# Source: modules/openstack/files/replica-addusers.pl
+# From: openstack::replica-management-service
+
+
+use strict;
+use DBI();
+
+my %databases = (
+ 's1' => [ "labsdb1001", 3306 ],
+ 's2' => [ "labsdb1002", 3306 ],
+ 's3' => [ "labsdb1003", 3308 ],
+ 's4' => [ "labsdb1002", 3307 ],
+ 's5' => [ "labsdb1002", 3308 ],
+ 's6' => [ "labsdb1003", 3306 ],
+ 's7' => [ "labsdb1003", 3307 ],
+ 'udb' => [ "labsdb1005", 3306 ],
+);
+
+my %dbc;
+
+
+my $dbuser;
+my $dbpassword;
+my $mycnf = $ENV{'HOME'} . "/.my.cnf";
+if(open MYCNF, "<$mycnf") {
+ my $client = 0;
+ while(<MYCNF>) {
+ if(m/^\[client\]\s*$/) {
+ $client = 1;
+ next;
+ }
+ $client = 0 if m/^\[/;
+ next unless $client;
+ $dbuser = $1 if m/^\s*user\s*=\s*'(.*)'\s*$/;
+ $dbpassword = $1 if m/^\s*password\s*=\s*'(.*)'\s*$/;
+ }
+ close MYCNF;
+}
+die "No credentials for connecting to databases.\n" unless defined $dbuser and
defined $dbpassword;
+
+for(;;) {
+
+ my %dbc;
+ my $dbopen = 0;
+ my @projects = glob "/srv/project/*";
+ my %allhomes;
+ print "[enumerating homes]\n";
+ foreach my $dir (glob("/srv/project/*/home/*"),
glob("/srv/project/*/project/*")) {
+ next if -f "$dir/replica.my.cnf";
+ my @sd = stat $dir;
+ next unless $#sd > -1;
+ $allhomes{$dir} = $sd[4]; # uid
+ }
+
+ print "[enumerating users]\n";
+ open PW, "/usr/bin/getent passwd|" or die "getent: $!\n";
+ while(<PW>) {
+ my ($username, undef, $uid, $gid, undef, $home, undef) = split /:/;
+ next if $uid < 500;
+ my @homes;
+ $home =~ s/\/$//;
+ $home = $1 if $home =~ m[^/data(/project/.*)$];
+ foreach my $p (@projects) {
+ next unless defined $allhomes{$p.$home};
+ next unless $allhomes{$p.$home} == $uid;
+ push @homes, $p.$home;
+ }
+
+ my $pwfile = "/var/cache/dbusers/$username";
+ my $password;
+ if(open PWFILE, "<$pwfile") {
+ $password = <PWFILE>;
+ chop $password;
+ close PWFILE;
+ } else {
+ print "* creating credentials for $username\n";
+ $password = `/usr/bin/pwgen 16 1`;
+ chop $password;
+ open PWFILE, ">$pwfile" or die "$pwfile: $!\n";
+ print PWFILE "$password\n";
+ close PWFILE;
+ }
+
+ my $t = ($uid==$gid)? 's': 'u';
+ my $mysqlusr = "$t$uid";
+
+ my $grants = "/var/cache/dbusers/$username.grants";
+ unless(-f $grants) {
+ unless($dbopen) {
+ foreach my $dbn (keys %databases) {
+ my ($dbh, $dbp) = @{$databases{$dbn}};
+ my $c =
DBI->connect("DBI:mysql:host=$dbh;port=$dbp;mysql_enable_utf8=1",
+ $dbuser, $dbpassword, {'RaiseError' => 0});
+ if(defined $c) {
+ $c->do("SET NAMES 'utf8';");
+ $dbc{$dbn} = $c;
+ print "+ connected to $dbn\n";
+ }
+ }
+ $dbopen = 1;
+ }
+
+ print "* grants for $username ($mysqlusr):";
+ foreach my $dbn (keys %dbc) {
+ print " [$dbn]";
+ $dbc{$dbn}->do("grant usage on *.* to $mysqlusr\@'\%'
identified by '$password';");
+ $dbc{$dbn}->do("grant select, show view on `\%_p`.* to
$mysqlusr\@'\%';");
+ $dbc{$dbn}->do("grant show view on *.* to $mysqlusr\@'\%';");
+ $dbc{$dbn}->do("grant all privileges on `${mysqlusr}__\%`.* to
$mysqlusr\@'\%' with grant option;");
+ }
+ print "\n";
+ open GRANTS, ">$grants" and close GRANTS;
+ }
+
+ next if $#homes < 0;
+
+ foreach my $dir (@homes) {
+ $pwfile = "$dir/replica.my.cnf";
+ if(open MYCNF, ">$pwfile") {
+ print "* creds for $username ($mysqlusr) added to $pwfile\n";
+ chown $uid, $gid, $pwfile;
+ chmod 0600, $pwfile;
+ print MYCNF "[client]\n";
+ print MYCNF "user='$mysqlusr'\n";
+ print MYCNF "password='$password'\n";
+ close MYCNF;
+ }
+ }
+ }
+
+ if($dbopen) {
+ print "+ closing database connections\n";
+ foreach my $db (values %dbc) {
+ $db->disconnect;
+ }
+ }
+
+ sleep 120;
+}
+
--
To view, visit https://gerrit.wikimedia.org/r/135445
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id3ff318f3e7e8b226b9ba08faff3bf05b6a1d845
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <mpellet...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
