coren has uploaded a new change for review.
https://gerrit.wikimedia.org/r/63375
Change subject: Tool Labs: Moar comments in the module
......................................................................
Tool Labs: Moar comments in the module
To make things less opaque.
Change-Id: I881744f200ef2bfb1d81717175bbc43b1757f876
---
M modules/toollabs/files/40-tools-bastion-banner
M modules/toollabs/files/40-tools-exechost-banner
M modules/toollabs/files/40-tools-infrastructure-banner
M modules/toollabs/files/project-make-access
M modules/toollabs/files/project-make-shosts
M modules/toollabs/files/update-repo.sh
M modules/toollabs/manifests/bastion.pp
M modules/toollabs/manifests/exec_environ.pp
M modules/toollabs/manifests/execnode.pp
M modules/toollabs/manifests/infrastructure.pp
M modules/toollabs/manifests/init.pp
M modules/toollabs/manifests/master.pp
M modules/toollabs/manifests/shadow.pp
M modules/toollabs/manifests/webproxy.pp
M modules/toollabs/manifests/webserver.pp
15 files changed, 62 insertions(+), 23 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/75/63375/1
diff --git a/modules/toollabs/files/40-tools-bastion-banner
b/modules/toollabs/files/40-tools-bastion-banner
index bfa5091..56b18d9 100755
--- a/modules/toollabs/files/40-tools-bastion-banner
+++ b/modules/toollabs/files/40-tools-bastion-banner
@@ -1,5 +1,9 @@
#! /bin/sh
+#
+# This script is managed by puppet
+#
+
cat <<EOF
�[31m ########## �[0;1;4mWikimedia Tool Labs�[0m
diff --git a/modules/toollabs/files/40-tools-exechost-banner
b/modules/toollabs/files/40-tools-exechost-banner
index 03e1735..27e8e5f 100644
--- a/modules/toollabs/files/40-tools-exechost-banner
+++ b/modules/toollabs/files/40-tools-exechost-banner
@@ -1,5 +1,9 @@
#! /bin/sh
+#
+# This script is managed by puppet
+#
+
cat <<EOF
�[31m#######�[0m �[1mThis is an execution host of the Tool Labs grid
engine.�[0m
diff --git a/modules/toollabs/files/40-tools-infrastructure-banner
b/modules/toollabs/files/40-tools-infrastructure-banner
index 0905b34..5a67afb 100644
--- a/modules/toollabs/files/40-tools-infrastructure-banner
+++ b/modules/toollabs/files/40-tools-infrastructure-banner
@@ -1,5 +1,9 @@
#! /bin/sh
+#
+# This script is managed by puppet
+#
+
cat <<EOF
�[33;1m^�[0m
�[33;1m/ \�[0m This server is part of the Tool Labs infrastructure.
diff --git a/modules/toollabs/files/project-make-access
b/modules/toollabs/files/project-make-access
index 51c999b..ac74765 100644
--- a/modules/toollabs/files/project-make-access
+++ b/modules/toollabs/files/project-make-access
@@ -1,5 +1,9 @@
#! /bin/bash
+#
+# This script is managed by puppet
+#
+
cd /data/project/.system/store
echo '+:ALL:' $(for host in submithost-*; do
if [ -s $host ]; then
diff --git a/modules/toollabs/files/project-make-shosts
b/modules/toollabs/files/project-make-shosts
index 4085d10..1f84dd6 100644
--- a/modules/toollabs/files/project-make-shosts
+++ b/modules/toollabs/files/project-make-shosts
@@ -1,5 +1,9 @@
#! /bin/bash
+#
+# This script is managed by puppet
+#
+
cd /data/project/.system/store
(for host in submithost-*; do
if [ -s $host ]; then
diff --git a/modules/toollabs/files/update-repo.sh
b/modules/toollabs/files/update-repo.sh
index 7335d69..2855829 100644
--- a/modules/toollabs/files/update-repo.sh
+++ b/modules/toollabs/files/update-repo.sh
@@ -1,5 +1,9 @@
#! /bin/bash
+#
+# This script is managed by puppet
+#
+
cd /data/project/.system/deb
for arch in *; do
if [ -d $arch ]; then
diff --git a/modules/toollabs/manifests/bastion.pp
b/modules/toollabs/manifests/bastion.pp
index 53426ad..d96a1a3 100644
--- a/modules/toollabs/manifests/bastion.pp
+++ b/modules/toollabs/manifests/bastion.pp
@@ -37,8 +37,6 @@
content => "$ipaddress\n",
}
-
- # TODO: sshd config
# TODO: local scripts
# TODO: j* tools
# TODO: cron setup
diff --git a/modules/toollabs/manifests/exec_environ.pp
b/modules/toollabs/manifests/exec_environ.pp
index 93c6459..2ccf6c0 100644
--- a/modules/toollabs/manifests/exec_environ.pp
+++ b/modules/toollabs/manifests/exec_environ.pp
@@ -93,8 +93,6 @@
sysctl { "vm.overcommit_memory": value => 2 }
sysctl { "vm.overcommit_ratio": value => 95 }
- # TODO: autofs overrides
- # TODO: PAM config
# TODO: quotas
}
diff --git a/modules/toollabs/manifests/execnode.pp
b/modules/toollabs/manifests/execnode.pp
index 8ba1be8..1e5c785 100644
--- a/modules/toollabs/manifests/execnode.pp
+++ b/modules/toollabs/manifests/execnode.pp
@@ -35,6 +35,12 @@
content => "$ipaddress\n",
}
+ # Execution hosts have funky access requirements; they need to be ssh-able
+ # by service accounts, and they need to use host-based authentication.
+
+ # We override /etc/ssh/shosts.equiv and /etc/security/access.conf
+ # accordingly from information collected from the project store.
+
file { "/usr/local/sbin/project-make-shosts":
ensure => file,
owner => 'root',
diff --git a/modules/toollabs/manifests/infrastructure.pp
b/modules/toollabs/manifests/infrastructure.pp
index ee795ae..79d17bb 100644
--- a/modules/toollabs/manifests/infrastructure.pp
+++ b/modules/toollabs/manifests/infrastructure.pp
@@ -22,6 +22,9 @@
source =>
"puppet:///modules/toollabs/40-${instanceproject}-infrastructure-banner",
}
+ # Infrastructure instances are limited to an (arbitrarily picked) local
+ # service group and root.
+
File <| title == '/etc/security/access.conf' |> {
content => "-:ALL EXCEPT (local-admin) root:ALL\n",
}
diff --git a/modules/toollabs/manifests/init.pp
b/modules/toollabs/manifests/init.pp
index 20b43e7..2490f4a 100644
--- a/modules/toollabs/manifests/init.pp
+++ b/modules/toollabs/manifests/init.pp
@@ -12,11 +12,19 @@
# Sample Usage:
#
class toollabs {
- # TODO: autofs overrides
- # TODO: PAM config
$store = "/data/project/.system/store"
$repo = "/data/project/.system/deb"
+
+ #
+ # The $store is an incredibly horrid workaround the fact that we cannot
+ # use exported resources in our puppet setup: individual instances store
+ # information in a shared filesystem that are collected locally into
+ # files to finish up the configuration.
+ #
+ # Case in point here: SSH host keys distributed around the project for
+ # known_hosts and HBA of the execution nodes.
+ #
file { $store:
ensure => directory,
@@ -35,11 +43,6 @@
content => "[$fqdn]:*,[$ipaddress]:* ssh-rsa $sshrsakey\n$fqdn ssh-rsa
$sshrsakey\n",
}
- file { "/shared":
- ensure => link,
- target => "/data/project/.shared";
- }
-
exec { "make_known_hosts":
command => "/bin/cat $store/hostkey-* >/etc/ssh/ssh_known_hosts~",
require => File[$store],
@@ -53,6 +56,12 @@
owner => "root",
group => "root",
}
+
+ file { "/shared":
+ ensure => link,
+ target => "/data/project/.shared";
+ }
+
# Tool Labs is enduser-facing, so we want to control the motd
# properly (most things make no sense for community users: they
@@ -69,6 +78,10 @@
purge => true,
}
+ # We keep a project-locat apt repo where we stuff packages we build
+ # that are intended to be local to the project. By keeping it on the
+ # shared storage, we have no need to set up a server to use it.
+
file { "/etc/apt/sources.list.d/local.list":
ensure => file,
content => "deb [ arch=amd64 trusted=yes ] file:$repo/ amd64/\ndeb [
arch=all trusted=yes ] file:$repo/ all/\n",
diff --git a/modules/toollabs/manifests/master.pp
b/modules/toollabs/manifests/master.pp
index ca0b6d6..3779a1f 100644
--- a/modules/toollabs/manifests/master.pp
+++ b/modules/toollabs/manifests/master.pp
@@ -16,18 +16,17 @@
toollabs::exec_environ
# TODO: Grid config
- # TODO: Key collection
- # TODO: sshd config
# TODO: (conditional) shadow config
- # TODO: NFS overrides (job queue)
+ # TODO: project-local NFS (job queue)
- ##
- ## These things are done on toollabs::master because they
- ## need to be done exactly once per project (they live on the
- ## shared filesystem), and there can only be exactly one
- ## gridmaster in this setup.
- ##
+ #
+ # These things are done on toollabs::master because they
+ # need to be done exactly once per project (they live on the
+ # shared filesystem), and there can only be exactly one
+ # gridmaster in this setup. They could have been done on
+ # any singleton instance.
+ #
file { $repo:
ensure => directory,
diff --git a/modules/toollabs/manifests/shadow.pp
b/modules/toollabs/manifests/shadow.pp
index 53956db..560fc71 100644
--- a/modules/toollabs/manifests/shadow.pp
+++ b/modules/toollabs/manifests/shadow.pp
@@ -20,6 +20,6 @@
}
# TODO: grid setup
- # TODO: NFS overrides (job queue)
+ # TODO: project-local NFS (job queue)
}
diff --git a/modules/toollabs/manifests/webproxy.pp
b/modules/toollabs/manifests/webproxy.pp
index 50e50f6..eb044f6 100644
--- a/modules/toollabs/manifests/webproxy.pp
+++ b/modules/toollabs/manifests/webproxy.pp
@@ -14,6 +14,5 @@
include toollabs::infrastructure
#TODO: apache config
- #TODO: sshd config
}
diff --git a/modules/toollabs/manifests/webserver.pp
b/modules/toollabs/manifests/webserver.pp
index 7d2b4de..6ff3ffa 100644
--- a/modules/toollabs/manifests/webserver.pp
+++ b/modules/toollabs/manifests/webserver.pp
@@ -36,6 +36,5 @@
# TODO: Apache config
# TODO: Local scripts
- # TODO: sshd config
}
--
To view, visit https://gerrit.wikimedia.org/r/63375
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I881744f200ef2bfb1d81717175bbc43b1757f876
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <mpellet...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
