Ottomata has uploaded a new change for review. https://gerrit.wikimedia.org/r/58540
Change subject: Refactoring puppetmaster::self to allow for puppet clients. ...................................................................... Refactoring puppetmaster::self to allow for puppet clients. puppetmaster::self is retained for backwards compatiblity. Woowee, let's see if this works! Change-Id: I7d8d68684e726c79d56e9027423590b94957cbcd --- M manifests/puppetmaster.pp M templates/puppet/fileserver-self.conf.erb M templates/puppet/puppet.conf.d/10-self.conf.erb 3 files changed, 262 insertions(+), 134 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/40/58540/1 diff --git a/manifests/puppetmaster.pp b/manifests/puppetmaster.pp index 6a922de..413461b 100644 --- a/manifests/puppetmaster.pp +++ b/manifests/puppetmaster.pp @@ -392,142 +392,125 @@ } -# Class: puppetmaster::self + # -# This configures a single system as both puppet client and puppet master. -# Such a config is useful for puppet development as it allows testing -# and debugging in one place. +# Below are classes used to configure self hosted puppet +# on labs instances. puppet::self is the recommended class +# to use. Use this class for both your puppetmasters +# and puppet clients. # -# The puppet files and manifests are checked out in $gitdir/operations/puppet -# where they can be modified and then re-applied to the instance via -# puppetd -tv. + + +# == Class puppet::self +# Wrapper class for puppet::self::master +# and puppet::self::client. +# If $server is localhost or matches the $fqdn of this node, +# then this node will be configured as a puppetmaster. +# NOTE: server -> localhost does the exact same +# thing as the original puppetmaster::self class used to do. # -# This class should probably only be used on temporary labs instances. +# == Parameters +# $server - hostname of the puppetmaster. Defaults to 'localhost'. +# +class puppet::self($server = 'localhost') { + if ($server == 'localhost' or $server == $fqdn) { + class { 'puppet::self::master': + server => $server + } + } + else { + class { 'puppet::self::client': + server => $server, + } + } +} + +# == Class puppetmaster::self +# Wrapper class for puppet::self::master +# with server => localhost. This is +# maintained for backwards compatibility. # class puppetmaster::self { + class { 'puppet::self::master': + server => 'localhost', + } +} - class config inherits base::puppet { - include role::ldap::config::labs +# == Class puppet::self::client +# Sets up a node as a puppet client with +# $server as the puppetmaster. +# +# == Parameters +# $server - hostname of the puppetmaster. +# +class puppet::self::client($server) { + system_role { 'puppetmaster': + description => "Puppet client of ${server}" + } - $ldapconfig = $role::ldap::config::labs::ldapconfig - $basedn = $ldapconfig["basedn"] + # Most of the defaults in puppet::self::config + # are good for setting up a puppet client. + class { 'puppet::self::config': + server => $server, + } +} - $config = { - 'dbadapter' => "sqlite3", - 'node_terminus' => "ldap", - 'ldapserver' => $ldapconfig["servernames"][0], - 'ldapbase' => "ou=hosts,${basedn}", - 'ldapstring' => "(&(objectclass=puppetClient)(associatedDomain=%s))", - 'ldapuser' => $ldapconfig["proxyagent"], - 'ldappassword' => $ldapconfig["proxypass"], - 'ldaptls' => true - } - - File["/etc/puppet/puppet.conf.d/10-main.conf"] { - ensure => absent - } - - file { "/etc/puppet/puppet.conf.d/10-self.conf": - require => File["/etc/puppet/puppet.conf.d"], - owner => root, - group => root, - mode => 0444, - content => template("puppet/puppet.conf.d/10-self.conf.erb"), - notify => Exec["compile puppet.conf"]; - } - - file { "/etc/puppet/fileserver.conf": - owner => root, - group => root, - mode => 0444, - content => template("puppet/fileserver-self.conf.erb") - } - - $gitdir = "/var/lib/git" - file { "/etc/puppet/private": - ensure => link, - target => "$gitdir/labs/private", - force => true, - } - file { "/etc/puppet/templates": - ensure => link, - target => "$gitdir/operations/puppet/templates", - force => true, - } - file { "/etc/puppet/files": - ensure => link, - target => "$gitdir/operations/puppet/files", - force => true, - } - file { "/etc/puppet/manifests": - ensure => link, - target => "$gitdir/operations/puppet/manifests", - force => true, - } - file { "/etc/puppet/modules": - ensure => link, - target => "$gitdir/operations/puppet/modules", - force => true, +# == Class puppet::self::master +# Sets up a node as a puppetmaster. +# If server => localhost, then this node will +# be set up to only act as a puppetmaster for itself. +# Otherwise, this server will be able to act as a puppetmaster +# for any labs nodes that are configured using the puppet::self::client +# class with $server set to this nodes $fqdn. +# +# This class will clone the operations/puppet git repository +# and set it up with proper symlinks in /etc/puppet. +# +# == Parameters +# $server - hostname of the puppetmaster. +# +class puppet::self::master($server) { + system_role { "puppetmaster": + description => $server ? { + 'localhost' => 'Puppetmaster for itself', + default => 'Puppetmaster for project labs instances', } } - class gitclone { - $gitdir = "/var/lib/git" + # If localhost, only bind to loopback. + $bindaddress = $server ? { + 'localhost' => '127.0.0.1', + default => $ipaddress, + } - file { "$gitdir": - ensure => directory, - owner => root, - group =>root, - } - file { "$gitdir/operations": - ensure => directory, - owner => root, - group => root, - } - file { "$gitdir/labs": - ensure => directory, - # private repo resides here, so enforce some perms - owner => root, - group => puppet, - mode => 0640, - } - - file { "$gitdir/ssh": - ensure => file, - owner => root, - group => root, - mode => 0755, - # FIXME: ok, this sucks. ew. ewww. - content => "#!/bin/sh\nexec ssh -o StrictHostKeyChecking=no -i $gitdir/labs-puppet-key \$*\n", - require => File["$gitdir/labs-puppet-key"], - } - file { "$gitdir/labs-puppet-key": - ensure => file, - owner => root, - group => root, - mode => 0600, - source => "puppet:///private/ssh/labs-puppet-key", - } - - git::clone { "operations/puppet": - directory => "$gitdir/operations/puppet", - branch => "production", - origin => "https://gerrit.wikimedia.org/r/operations/puppet.git", - require => File["$gitdir/operations"], - } - git::clone { "labs/private": - directory => "$gitdir/labs/private", - origin => "ssh://labs-pup...@gerrit.wikimedia.org:29418/labs/private.git", - ssh => "$gitdir/ssh", - require => [ File["$gitdir/labs"], File["$gitdir/ssh"] ], + # If localhost, only allow this node. + # Else allow the labs subnet. + $puppet_client_subnet = $server ? { + 'localhost' => '127.0.0.1', + default => $::site ? { + 'pmtpa' => '10.4.0.0/21', + 'eqiad' => undef, # eqiad does not have labs yet. } } - system_role { "puppetmaster": description => "Puppetmaster for itself" } + # If localhost, then just name the cert 'localhost'. + # Else certname should be the labs instanceid. ($dc comes from ldap.) + $certname = $server ? { + 'localhost' => 'localhost', + default => "${dc}.${domain}" + } - include config - include gitclone - + class { 'puppet::self::config': + is_puppetmaster => true, + server => $server, + bindaddress => $bindaddress, + puppet_client_subnet => $puppet_client_subnet, + certname => $certname, + } + class { 'puppet::self::gitclone': + require => Class['puppet::self::config'], + } + package { [ "vim-puppet", "puppet-el", "rails" ]: ensure => present, } @@ -543,15 +526,158 @@ Package['rails'], Package['libsqlite3-ruby'], Package['libldap-ruby1.8'], - Class['config'], - Class['gitclone'], + Class['puppet::self::config'], + Class['puppet::self::gitclone'], ], } - class { "puppetmaster::ssl": + class { 'puppetmaster::ssl': server_name => $fqdn, ca => true } include puppetmaster::scripts } + + +# == Class puppet::self::config +# Configures variables and puppet config files +# for either self puppetmasters or self puppet clients. +# +# == Parameters +# $server - hostname of the puppetmaster. +# $is_puppetmaster - true or false. Default: false. +# $bindaddress - address to which a puppetmaster should listen. Unused if $is_puppetmaster is false. +# $puppet_client_subnet - Network from which to allow fileserver connections. Unused if $is_puppetmaster is false. +# $certname - Name of the puppet CA certificate. Default: "${dc}.{$domain}", e.g. the labs instance name: i-00000699.pmtpa.wmflabs. +# +class puppet::self::config( + $server, + $is_puppetmaster = false, + $bindaddress = undef, + $puppet_client_subnet = undef, + $certname = "${dc}.${domain}") inherits base::puppet +{ + include role::ldap::config::labs + + $ldapconfig = $role::ldap::config::labs::ldapconfig + $basedn = $ldapconfig['basedn'] + + $config = { + 'dbadapter' => 'sqlite3', + 'node_terminus' => 'ldap', + 'ldapserver' => $ldapconfig['servernames'][0], + 'ldapbase' => "ou=hosts,${basedn}", + 'ldapstring' => '(&(objectclass=puppetClient)(associatedDomain=%s))', + 'ldapuser' => $ldapconfig['proxyagent'], + 'ldappassword' => $ldapconfig['proxypass'], + 'ldaptls' => true + } + + File['/etc/puppet/puppet.conf.d/10-main.conf'] { + ensure => absent + } + + file { '/etc/puppet/puppet.conf.d/10-self.conf': + require => File['/etc/puppet/puppet.conf.d'], + owner => root, + group => root, + mode => 0444, + content => template('puppet/puppet.conf.d/10-self.conf.erb'), + notify => Exec['compile puppet.conf']; + } + + file { '/etc/puppet/fileserver.conf': + owner => root, + group => root, + mode => 0444, + content => template('puppet/fileserver-self.conf.erb'), + ensure => $is_puppetmaster ? { + true => 'file', + default => absent, + } + } +} + + +# == Class puppet::self::gitclone +# Clones the operations/puppet repository +# for use by puppet::self::masters. +# +class puppet::self::gitclone { + $gitdir = '/var/lib/git' + + file { $gitdir: + ensure => directory, + owner => root, + group =>root, + } + file { "${gitdir}/operations": + ensure => directory, + owner => root, + group => root, + } + file { "${gitdir}/labs": + ensure => directory, + # private repo resides here, so enforce some perms + owner => root, + group => puppet, + mode => 0640, + } + + file { "${gitdir}/ssh": + ensure => file, + owner => root, + group => root, + mode => 0755, + # FIXME: ok, this sucks. ew. ewww. + content => "#!/bin/sh\nexec ssh -o StrictHostKeyChecking=no -i ${gitdir}/labs-puppet-key \$*\n", + require => File["${gitdir}/labs-puppet-key"], + } + file { "${gitdir}/labs-puppet-key": + ensure => file, + owner => root, + group => root, + mode => 0600, + source => 'puppet:///private/ssh/labs-puppet-key', + } + + git::clone { 'operations/puppet': + directory => "${gitdir}/operations/puppet", + branch => 'production', + origin => 'https://gerrit.wikimedia.org/r/operations/puppet.git', + require => File["${gitdir}/operations"], + } + git::clone { 'labs/private': + directory => "${gitdir}/labs/private", + origin => 'ssh://labs-pup...@gerrit.wikimedia.org:29418/labs/private.git', + ssh => "${gitdir}/ssh", + require => [ File["${gitdir}/labs"], File["${gitdir}/ssh"] ], + } + + file { '/etc/puppet/private': + ensure => link, + target => "${gitdir}/labs/private", + force => true, + } + file { '/etc/puppet/templates': + ensure => link, + target => "${gitdir}/operations/puppet/templates", + force => true, + } + file { '/etc/puppet/files': + ensure => link, + target => "${gitdir}/operations/puppet/files", + force => true, + } + file { '/etc/puppet/manifests': + ensure => link, + target => "${gitdir}/operations/puppet/manifests", + force => true, + } + file { '/etc/puppet/modules': + ensure => link, + target => "${gitdir}/operations/puppet/modules", + force => true, + } +} diff --git a/templates/puppet/fileserver-self.conf.erb b/templates/puppet/fileserver-self.conf.erb index 482e8f3..2120a0f 100644 --- a/templates/puppet/fileserver-self.conf.erb +++ b/templates/puppet/fileserver-self.conf.erb @@ -7,23 +7,23 @@ # over deny [files] path /etc/puppet/files - allow 127.0.0.1 + allow <%= puppet_client_subnet %> [plugins] - allow 127.0.0.1 + allow <%= puppet_client_subnet %> [private] path /etc/puppet/private/files - allow 127.0.0.1 + allow <%= puppet_client_subnet %> [facts] path /var/lib/puppet/facts - allow 127.0.0.1 + allow <%= puppet_client_subnet %> [volatile] path /var/lib/puppet/volatile - allow 127.0.0.1 + allow <%= puppet_client_subnet %> [software] path /etc/puppet/software - allow 127.0.0.1 + allow <%= puppet_client_subnet %> diff --git a/templates/puppet/puppet.conf.d/10-self.conf.erb b/templates/puppet/puppet.conf.d/10-self.conf.erb index 605148a..716ae46 100644 --- a/templates/puppet/puppet.conf.d/10-self.conf.erb +++ b/templates/puppet/puppet.conf.d/10-self.conf.erb @@ -3,12 +3,13 @@ [main] logdir = /var/log/puppet vardir = /var/lib/puppet -ssldir = /var/lib/puppet/server/ssl +ssldir = <%= is_puppetmaster ? '/var/lib/puppet/server/ssl' : '/var/lib/puppet/ssl' %> rundir = /var/run/puppet factpath = $vardir/lib/facter +certname = <%= certname %> [agent] -server = localhost +server = <%= server %> configtimeout = 480 splay = true prerun_command = /etc/puppet/etckeeper-commit-pre @@ -16,15 +17,15 @@ pluginsync = false report = true +<% if is_puppetmaster -%> [master] -bindaddress = 127.0.0.1 +bindaddress = <%= bindaddress %> ca_md = sha1 -certname = localhost thin_storeconfigs = true templatedir = /etc/puppet/templates # SSL -ssldir = /var/lib/puppet/server/ssl/ +ssldir = /var/lib/puppet/server/ssl ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY hostcert = /var/lib/puppet/server/ssl/certs/<%= fqdn %>.pem @@ -33,3 +34,4 @@ <% scope.lookupvar('puppetmaster::self::config::config').sort.each do |setting, value| -%> <%= setting %> = <%= value %> <% end -%> +<% end -%> \ No newline at end of file -- To view, visit https://gerrit.wikimedia.org/r/58540 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7d8d68684e726c79d56e9027423590b94957cbcd Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ottomata <o...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits