Giuseppe Lavagetto has uploaded a new change for review. https://gerrit.wikimedia.org/r/153397
Change subject: puppetmaster: make reimaging servers easier. ...................................................................... puppetmaster: make reimaging servers easier. Change-Id: Id898cce1f634f4ae2015173f15e95ab94d60fc43 Signed-off-by: Giuseppe Lavagetto <glavage...@wikimedia.org> --- A modules/puppetmaster/files/reimage.sh M modules/puppetmaster/manifests/scripts.pp 2 files changed, 118 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/97/153397/1 diff --git a/modules/puppetmaster/files/reimage.sh b/modules/puppetmaster/files/reimage.sh new file mode 100755 index 0000000..ac9780c --- /dev/null +++ b/modules/puppetmaster/files/reimage.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# Helper script for reimaging a server. +# Author: Giuseppe Lavagetto +# Copyright (c) 2014 the Wikimedia Foundation +set -e +set -u +SLEEPTIME=60 +FORCE=0 + +function log { + echo "$@"; +} + +function clean_puppet { + nodename=${1} + log "cleaning puppet certificate for ${nodename}" + puppet cert clean ${nodename} + # An additional, paranoid check. + (puppet cert list --all | fgrep -q ${nodename}; \ + if [ $? eq 0 ]; then log "unable to clean puppet cert, please check manually"; exit 1; fi;) + log "cleaning puppet facts cache for ${nodename}" + /usr/local/sbin/puppetstoredconfigclean.rb ${nodename} +} + +function clean_salt { + nodename=${1} + log "cleaning salt key cache for ${nodename}" + # This actually exits with 0, no matter what + salt-key -d ${nodename} + (salt-key --list accepted | fgrep -q ${nodename}; \ + if [ $? eq 0 ]; then log "unable to clean salt key, please check manually"; exit 1; fi;) +} + +function sign_puppet { + nodename=${1} + force_yes=${2} + while 1; + do + log "Seeking the node cert to sign" + res=$(puppet cert list | sed -ne "s/\"$nodename\"//p") + if [ "x${res}" == "x" ]; then + log "cert not found, sleeping for 1 minute" + sleep $SLEEPTIME + continue + fi; + + if [ ${force_yes} -eq 0 ]; then + echo "We have found a key for ${nodename} with the following fingerprint:" + echo "$res" + echo "Can we go on and sign it? (y/n)" + read choice + echo + if [ "x${choice}" != "xy" ]; then + log "Aborting on users request." + exit 1 + fi; + fi; + puppet cert -s ${nodename} + break + done +} + +function sign_salt { + nodename=${1} + while 1; + do + log "Seeking the node key to add" + res=$(salt-key --list unaccepted | sed -ne "s/$nodename//p") + if [ "x${res}" == "x" ]; then + log "key not found, sleeping for 1 minute" + sleep $SLEEPTIME + continue + fi; + salt-key -a ${nodename} + break + done + +} + +function usage { + echo "Usage: $0 [-y][-s SECONDS] <nodename>"; exit 1; +} + +## Main script + +while getopts "ys:" option; do + case $option in + y) + FORCE=1 + ;; + s) + SLEEPTIME=${OPTARG} + ;; + *) + usage + ;; +esac +done +shift $((OPTIND-1)) +nodename=$1 +test -z ${nodename} && usage +log "Preparing reimaging of node ${nodename}" + +clean_puppet $nodename +clean_salt $nodename +sign_puppet $nodename $FORCE +sign_salt $nodename + +log "Node ${nodename} is now signed and both puppet and salt should work." diff --git a/modules/puppetmaster/manifests/scripts.pp b/modules/puppetmaster/manifests/scripts.pp index 21913da..4518208 100644 --- a/modules/puppetmaster/manifests/scripts.pp +++ b/modules/puppetmaster/manifests/scripts.pp @@ -39,4 +39,13 @@ hour => [4,16], minute => 27, } + + # Helper script to clean stored data about a server we're reimaging. + file { '/usr/local/bin/wmf-reimage': + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0544', + source => 'puppet://modules/puppetmaster/reimage.sh' + } } -- To view, visit https://gerrit.wikimedia.org/r/153397 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id898cce1f634f4ae2015173f15e95ab94d60fc43 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits