Giuseppe Lavagetto has uploaded a new change for review.
https://gerrit.wikimedia.org/r/153397
Change subject: puppetmaster: make reimaging servers easier.
......................................................................
puppetmaster: make reimaging servers easier.
Change-Id: Id898cce1f634f4ae2015173f15e95ab94d60fc43
Signed-off-by: Giuseppe Lavagetto <glavage...@wikimedia.org>
---
A modules/puppetmaster/files/reimage.sh
M modules/puppetmaster/manifests/scripts.pp
2 files changed, 118 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/97/153397/1
diff --git a/modules/puppetmaster/files/reimage.sh
b/modules/puppetmaster/files/reimage.sh
new file mode 100755
index 0000000..ac9780c
--- /dev/null
+++ b/modules/puppetmaster/files/reimage.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+# Helper script for reimaging a server.
+# Author: Giuseppe Lavagetto
+# Copyright (c) 2014 the Wikimedia Foundation
+set -e
+set -u
+SLEEPTIME=60
+FORCE=0
+
+function log {
+ echo "$@";
+}
+
+function clean_puppet {
+ nodename=${1}
+ log "cleaning puppet certificate for ${nodename}"
+ puppet cert clean ${nodename}
+ # An additional, paranoid check.
+ (puppet cert list --all | fgrep -q ${nodename}; \
+ if [ $? eq 0 ]; then log "unable to clean puppet cert, please check
manually"; exit 1; fi;)
+ log "cleaning puppet facts cache for ${nodename}"
+ /usr/local/sbin/puppetstoredconfigclean.rb ${nodename}
+}
+
+function clean_salt {
+ nodename=${1}
+ log "cleaning salt key cache for ${nodename}"
+ # This actually exits with 0, no matter what
+ salt-key -d ${nodename}
+ (salt-key --list accepted | fgrep -q ${nodename}; \
+ if [ $? eq 0 ]; then log "unable to clean salt key, please check
manually"; exit 1; fi;)
+}
+
+function sign_puppet {
+ nodename=${1}
+ force_yes=${2}
+ while 1;
+ do
+ log "Seeking the node cert to sign"
+ res=$(puppet cert list | sed -ne "s/\"$nodename\"//p")
+ if [ "x${res}" == "x" ]; then
+ log "cert not found, sleeping for 1 minute"
+ sleep $SLEEPTIME
+ continue
+ fi;
+
+ if [ ${force_yes} -eq 0 ]; then
+ echo "We have found a key for ${nodename} with the following
fingerprint:"
+ echo "$res"
+ echo "Can we go on and sign it? (y/n)"
+ read choice
+ echo
+ if [ "x${choice}" != "xy" ]; then
+ log "Aborting on users request."
+ exit 1
+ fi;
+ fi;
+ puppet cert -s ${nodename}
+ break
+ done
+}
+
+function sign_salt {
+ nodename=${1}
+ while 1;
+ do
+ log "Seeking the node key to add"
+ res=$(salt-key --list unaccepted | sed -ne "s/$nodename//p")
+ if [ "x${res}" == "x" ]; then
+ log "key not found, sleeping for 1 minute"
+ sleep $SLEEPTIME
+ continue
+ fi;
+ salt-key -a ${nodename}
+ break
+ done
+
+}
+
+function usage {
+ echo "Usage: $0 [-y][-s SECONDS] <nodename>"; exit 1;
+}
+
+## Main script
+
+while getopts "ys:" option; do
+ case $option in
+ y)
+ FORCE=1
+ ;;
+ s)
+ SLEEPTIME=${OPTARG}
+ ;;
+ *)
+ usage
+ ;;
+esac
+done
+shift $((OPTIND-1))
+nodename=$1
+test -z ${nodename} && usage
+log "Preparing reimaging of node ${nodename}"
+
+clean_puppet $nodename
+clean_salt $nodename
+sign_puppet $nodename $FORCE
+sign_salt $nodename
+
+log "Node ${nodename} is now signed and both puppet and salt should work."
diff --git a/modules/puppetmaster/manifests/scripts.pp
b/modules/puppetmaster/manifests/scripts.pp
index 21913da..4518208 100644
--- a/modules/puppetmaster/manifests/scripts.pp
+++ b/modules/puppetmaster/manifests/scripts.pp
@@ -39,4 +39,13 @@
hour => [4,16],
minute => 27,
}
+
+ # Helper script to clean stored data about a server we're reimaging.
+ file { '/usr/local/bin/wmf-reimage':
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0544',
+ source => 'puppet://modules/puppetmaster/reimage.sh'
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/153397
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id898cce1f634f4ae2015173f15e95ab94d60fc43
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
