[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rancid improvements

Ayounsi (Code Review) Thu, 08 Jun 2017 08:42:47 -0700

Ayounsi has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/357825 )


Change subject: Rancid improvements
......................................................................


Rancid improvements

 - Move to GIT
 - Move to SSH KEY auth
 - Ignore noisy lines
 - Hide SNMP community string
 - Replace : with ; in router.db (v3 change)

To be merged after:
 - Rancid upgraded to 3.x
 - Rancid stopped
 - Rancid versioning folder converted to GIT

Todo after merge:
 - Arm ssh key
 - Test

Bug: T167288
Change-Id: I326f6874c08252617de18a1e5235fd86a186d1c8
---
M modules/rancid/files/core/router.db
M modules/rancid/files/rancid.conf
M modules/rancid/files/rancid.cron
M modules/rancid/manifests/init.pp
M modules/rancid/templates/cloginrc.erb
5 files changed, 48 insertions(+), 41 deletions(-)

Approvals:
  jenkins-bot: Verified
  Ayounsi: Looks good to me, approved
  Volans: Looks good to me, but someone else must approve



diff --git a/modules/rancid/files/core/router.db 
b/modules/rancid/files/core/router.db
index e07d7cd..f72a1f2 100644
--- a/modules/rancid/files/core/router.db
+++ b/modules/rancid/files/core/router.db
@@ -1,33 +1,33 @@
-asw-esams.mgmt.esams.wmnet:juniper:up:
-csw2-esams.mgmt.esams.wmnet:juniper:up:
-cr1-esams.wikimedia.org:juniper:up:
-cr2-esams.wikimedia.org:juniper:up:
-cr2-knams.wikimedia.org:juniper:up:
-cr1-eqiad.wikimedia.org:juniper:up:
-cr2-eqiad.wikimedia.org:juniper:up:
-cr1-eqord.wikimedia.org:juniper:up:
-asw-a-eqiad.mgmt.eqiad.wmnet:juniper:up:
-asw-b-eqiad.mgmt.eqiad.wmnet:juniper:up:
-asw-c-eqiad.mgmt.eqiad.wmnet:juniper:up:
-asw2-d-eqiad.mgmt.eqiad.wmnet:juniper:up:
-asw2-a5-eqiad.mgmt.eqiad.wmnet:juniper:up:
-msw1-eqiad.mgmt.eqiad.wmnet:juniper:up:
-lab-ex4200-1.mgmt.eqiad.wmnet:juniper:down:
-lab-ex4500-1.mgmt.eqiad.wmnet:juniper:down:
-pfw1-eqiad.wikimedia.org:juniper:up:
-pfw1-codfw.wikimedia.org:juniper:up:
-cr1-ulsfo.wikimedia.org:juniper:up:
-cr2-ulsfo.wikimedia.org:juniper:up:
-asw-ulsfo.mgmt.ulsfo.wmnet:juniper:up:
-cr1-codfw.wikimedia.org:juniper:up:
-cr2-codfw.wikimedia.org:juniper:up:
-cr1-eqdfw.wikimedia.org:juniper:up:
-asw-a-codfw.mgmt.codfw.wmnet:juniper:up:
-asw-b-codfw.mgmt.codfw.wmnet:juniper:up:
-asw-c-codfw.mgmt.codfw.wmnet:juniper:up:
-asw-d-codfw.mgmt.codfw.wmnet:juniper:up:
-msw1-codfw.mgmt.codfw.wmnet:juniper:up:
-mr1-eqiad.wikimedia.org:juniper:up:
-mr1-codfw.wikimedia.org:juniper:up:
-mr1-esams.wikimedia.org:juniper:up:
-mr1-ulsfo.wikimedia.org:juniper:up:
+asw-esams.mgmt.esams.wmnet;juniper;up;
+csw2-esams.mgmt.esams.wmnet;juniper;up;
+cr1-esams.wikimedia.org;juniper;up;
+cr2-esams.wikimedia.org;juniper;up;
+cr2-knams.wikimedia.org;juniper;up;
+cr1-eqiad.wikimedia.org;juniper;up;
+cr2-eqiad.wikimedia.org;juniper;up;
+cr1-eqord.wikimedia.org;juniper;up;
+asw-a-eqiad.mgmt.eqiad.wmnet;juniper;up;
+asw-b-eqiad.mgmt.eqiad.wmnet;juniper;up;
+asw-c-eqiad.mgmt.eqiad.wmnet;juniper;up;
+asw2-d-eqiad.mgmt.eqiad.wmnet;juniper;up;
+asw2-a5-eqiad.mgmt.eqiad.wmnet;juniper;up;
+msw1-eqiad.mgmt.eqiad.wmnet;juniper;up;
+lab-ex4200-1.mgmt.eqiad.wmnet;juniper;down;
+lab-ex4500-1.mgmt.eqiad.wmnet;juniper;down;
+pfw1-eqiad.wikimedia.org;juniper;up;
+pfw1-codfw.wikimedia.org;juniper;up;
+cr1-ulsfo.wikimedia.org;juniper;up;
+cr2-ulsfo.wikimedia.org;juniper;up;
+asw-ulsfo.mgmt.ulsfo.wmnet;juniper;up;
+cr1-codfw.wikimedia.org;juniper;up;
+cr2-codfw.wikimedia.org;juniper;up;
+cr1-eqdfw.wikimedia.org;juniper;up;
+asw-a-codfw.mgmt.codfw.wmnet;juniper;up;
+asw-b-codfw.mgmt.codfw.wmnet;juniper;up;
+asw-c-codfw.mgmt.codfw.wmnet;juniper;up;
+asw-d-codfw.mgmt.codfw.wmnet;juniper;up;
+msw1-codfw.mgmt.codfw.wmnet;juniper;up;
+mr1-eqiad.wikimedia.org;juniper;up;
+mr1-codfw.wikimedia.org;juniper;up;
+mr1-esams.wikimedia.org;juniper;up;
+mr1-ulsfo.wikimedia.org;juniper;up;
diff --git a/modules/rancid/files/rancid.conf b/modules/rancid/files/rancid.conf
index a319dd3..2573017 100644
--- a/modules/rancid/files/rancid.conf
+++ b/modules/rancid/files/rancid.conf
@@ -21,14 +21,14 @@
 BASEDIR=/var/lib/rancid; export BASEDIR
 PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; 
export PATH
 # Location of the CVS/SVN repository.  Be careful changing this.
-CVSROOT=$BASEDIR/CVS; export CVSROOT
+CVSROOT=$BASEDIR/GIT; export CVSROOT
 # Location of log files produced by rancid-run(1).
 LOGDIR=$BASEDIR/logs; export LOGDIR
 #
 # Select which RCS system to use, "cvs" (default) or "svn".  Do not change
 # this after CVSROOT has been created with rancid-cvs.  Changing between these
 # requires manual conversions.
-RCSSYS=cvs; export RCSSYS
+RCSSYS=git; export RCSSYS
 #
 # if ACLSORT is NO, access-lists will NOT be sorted.
 #ACLSORT=YES; export ACLSORT
@@ -39,10 +39,10 @@
 #
 # FILTER_PWDS determines which passwords are filtered from configs by the
 # value set (NO | YES | ALL).  see rancid.conf(5).
-#FILTER_PWDS=YES; export FILTER_PWDS
+FILTER_PWDS=YES; export FILTER_PWDS
 #
 # if NOCOMMSTR is set, snmp community strings will be stripped from the configs
-#NOCOMMSTR=YES; export NOCOMMSTR
+NOCOMMSTR=YES; export NOCOMMSTR
 #
 # How many times failed collections are retried (for each run) before
 # giving up.  Minimum: 1
@@ -81,4 +81,8 @@
 # changed by setting the MAILHEADERS variable; for example no header by setting
 # it to "" or adding X- style headers.  Individual headers must be separated
 # by a \n.
-#MAILHEADERS="Precedence: bulk"; export MAILHEADERS
\ No newline at end of file
+#MAILHEADERS="Precedence: bulk"; export MAILHEADERS
+
+# Remove lines such as: "#       TFEB 0 MQ 0 TSen               OK"
+# and lldpd.core-tarball.1
+DIFFSCRIPT="sed -e '/#\s\{2,\}TFEB.*$/d' -e '/lldpd.core-tarball.1/d' | 
expand"; export DIFFSCRIPT
diff --git a/modules/rancid/files/rancid.cron b/modules/rancid/files/rancid.cron
index b722bf8..a3d1251 100644
--- a/modules/rancid/files/rancid.cron
+++ b/modules/rancid/files/rancid.cron
@@ -1,4 +1,4 @@
 # Run config differ hourly
-1 * * * *      rancid  /usr/lib/rancid/bin/rancid-run
+1 * * * *      rancid  SSH_AUTH_SOCK=/run/keyholder/proxy.sock 
/usr/lib/rancid/bin/rancid-run
 # Clean out rancid logs
 50 23 * * *    rancid  /usr/bin/find /var/log/rancid -type f -mtime +2 -exec 
rm {} \;
diff --git a/modules/rancid/manifests/init.pp b/modules/rancid/manifests/init.pp
index 5d20429..f1add61 100644
--- a/modules/rancid/manifests/init.pp
+++ b/modules/rancid/manifests/init.pp
@@ -19,7 +19,10 @@
         home       => '/var/lib/rancid',
     }
 
-    include ::passwords::rancid
+    ::keyholder::agent { 'rancid':
+        require        => Group['rancid'],
+        trusted_groups => ['rancid'],
+    }
 
     file { '/etc/rancid/rancid.conf':
         require => Package['rancid'],
diff --git a/modules/rancid/templates/cloginrc.erb 
b/modules/rancid/templates/cloginrc.erb
index f8bc169..1b62f43 100644
--- a/modules/rancid/templates/cloginrc.erb
+++ b/modules/rancid/templates/cloginrc.erb
@@ -1,2 +1,2 @@
 add method * {ssh}
-add password * {<%= scope.lookupvar("passwords::rancid::rancidpass") %>}
+add password * {bogus_password}

-- 
To view, visit https://gerrit.wikimedia.org/r/357825
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I326f6874c08252617de18a1e5235fd86a186d1c8
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ayounsi <[email protected]>
Gerrit-Reviewer: Ayounsi <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Volans <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rancid improvements

Reply via email to