Andrew Bogott has submitted this change and it was merged.

Change subject: Remove labs puppetmaster certcleaner
......................................................................


Remove labs puppetmaster certcleaner

All of this cleanup should now happen via async 'designate sink' calls.

Bug: T146303
Change-Id: I9fb042ba6b37657b17d8a6cf3cc6095f508de3b1
---
D modules/puppetmaster/manifests/certcleaner.pp
D modules/puppetmaster/templates/certcleaner.py.erb
M modules/role/manifests/labs/puppetmaster.pp
3 files changed, 0 insertions(+), 169 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/puppetmaster/manifests/certcleaner.pp 
b/modules/puppetmaster/manifests/certcleaner.pp
deleted file mode 100644
index b0c4537..0000000
--- a/modules/puppetmaster/manifests/certcleaner.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-# = Class: puppetmaster::certcleaner
-# Automatically signs new puppet & salt certificate requests
-class puppetmaster::certcleaner {
-
-    $puppetmaster_service_name = hiera('labs_puppet_master', $::fqdn)
-
-    file { '/usr/local/sbin/certcleaner.py':
-        ensure  => present,
-        content => template('puppetmaster/certcleaner.py.erb'),
-        mode    => '0550',
-        owner   => 'root',
-        group   => 'root'
-    }
-
-    cron { 'puppet_certificate_signer':
-        ensure  => absent,
-        command => '/usr/local/sbin/puppetsigner.py > /dev/null 2>&1',
-    }
-
-    cron { 'puppet_salt_certificate_cleaner':
-        command => '/usr/local/sbin/certcleaner.py > /dev/null 2>&1',
-        require => File['/usr/local/sbin/certcleaner.py'],
-        user    => 'root',
-    }
-}
diff --git a/modules/puppetmaster/templates/certcleaner.py.erb 
b/modules/puppetmaster/templates/certcleaner.py.erb
deleted file mode 100755
index b3aa8ac..0000000
--- a/modules/puppetmaster/templates/certcleaner.py.erb
+++ /dev/null
@@ -1,143 +0,0 @@
-#!/usr/bin/python
-
-#####################################################################
-### THIS FILE IS MANAGED BY PUPPET
-### puppet:///modules/puppetmaster/templates/certcleaner.py.erb
-#####################################################################
-
-import sys
-import re
-import ldapsupportlib
-import socket
-import subprocess
-import os
-import json
-import ldap
-import logging
-from optparse import OptionParser  # FIXME: Use argparse
-
-LOG = logging.getLogger('certcleaner')
-LOG.setLevel(logging.INFO)
-LOG.addHandler(logging.FileHandler('/var/log/certcleaner'))
-
-
-def getPuppetInfo(attr, conffile="/etc/puppet/puppet.conf"):
-    f = open(conffile)
-    for line in f:
-        if line.split('=', 1)[0].strip() == attr:
-            return line.split('=', 1)[1].strip()
-
-
-def purgeSaltKeys(output, minion_type):
-    salt_hosts = json.loads(output)
-    for host in salt_hosts[minion_type]:
-        if not re.match(r'^[\.a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host):
-            print 'Invalid hostname', host
-            subprocess.check_call(['/usr/bin/salt-key', '-y', 
'--rotate-aes-key=', '-r', host])
-            subprocess.check_call(['/usr/bin/salt-key', '-y', 
'--rotate-aes-key=', '-d', host])
-            continue
-
-        ldap_query = "(&(objectclass=puppetclient)(|(dc=" + host + 
")(cnamerecord=" + host + ")(associateddomain=" + host + ")))"
-        host_result = ds.search_s(basedn, ldap.SCOPE_SUBTREE, ldap_query)
-        if not host_result:
-            sys.stderr.write('Removing stale salt key %s\n' % host)
-            LOG.warn('Removing stale salt key %s\n' % host)
-            try:
-                subprocess.check_call(['/usr/bin/salt-key', '-y', 
'--rotate-aes-key=', '-r', host])
-                subprocess.check_call(['/usr/bin/salt-key', '-y', 
'--rotate-aes-key=', '-d', host])
-            except subprocess.CalledProcessError:
-                sys.stderr.write('Failed to remove stale salt key %s\n' % host)
-                LOG.warn('Failed to remove stale salt key %s\n' % host)
-
-
-parser = OptionParser(conflict_handler="resolve")
-parser.set_usage("puppetsigner [options]")
-ldapSupportLib = ldapsupportlib.LDAPSupportLib()
-ldapSupportLib.addParserOptions(parser)
-(options, args) = parser.parse_args()
-
-ldapSupportLib.setBindInfoByOptions(options, parser)
-ds = ldapSupportLib.connect()
-basedn = ldapSupportLib.getLdapInfo('base')
-
-LOG.debug('Certcleaner run beginning')
-
-try:
-    puppet_output = subprocess.check_output(['/usr/bin/puppet', 'cert', 
'list', '--all'])
-    if puppet_output == '':
-        hosts = []
-    else:
-        hosts = puppet_output.strip().split("\n")
-
-    for host_string in hosts:
-        host = host_string.split()
-        # check to make sure hostname is actual hostname, to prevent
-        # ldap injection attacks
-        if host[0] == "(":
-            continue  # FIXME: WAT
-        if host[0] == '-':
-            # Already marked as invalid or revoked
-            continue
-        if host[0] == '+':
-            # Already signed
-            signed = True
-            hostname = host[1].strip('"')
-        else:
-            signed = False
-            hostname = host[0].strip('"')
-
-        if hostname == socket.getfqdn():
-            # Ourselves!
-            continue
-
-        if hostname == "<%= @puppetmaster_service_name %>":
-            # Ourselves!
-            continue
-
-        # Skip pathological hostnames -- possible attack vector.
-        if not re.match(r'^[\.a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname):
-            sys.stderr.write('Invalid hostname %s\n' % hostname)
-            LOG.warn('Removing puppet cert for crazy hostname %s' % hostname)
-            try:
-                subprocess.check_call(['/usr/bin/puppet', 'cert', 'clean', 
hostname])
-            except subprocess.CalledProcessError:
-                sys.stderr.write('Failed cleanup of %s\n' % hostname)
-                LOG.warn('Failed cleanup of %s\n' % hostname)
-            continue
-
-        # Erase keys that don't correspond to ldap.
-        query = "(&(objectclass=puppetclient)(|(dc=" + hostname + 
")(cnamerecord=" + hostname + ")(associateddomain=" + hostname + ")))"
-        host_info = ds.search_s(basedn, ldap.SCOPE_SUBTREE, query)
-        if not host_info:
-            sys.stderr.write('Removing stale cert %s' % hostname)
-            LOG.warn('Removing stale puppet cert %s' % hostname)
-            try:
-                subprocess.check_call(['/usr/bin/puppet', 'cert', 'clean', 
hostname])
-            except subprocess.CalledProcessError:
-                if not signed:
-                    requestpath = 
'/var/lib/puppet/server/ssl/ca/requests/%s.pem' % hostname
-                    LOG.warn('Failed to remove stale cert %s -- directly 
removing %s\n' % (hostname, requestpath))
-                    sys.stderr.write('Failed to remove stale cert %s -- 
directly removing %s\n' % (hostname, requestpath))
-                    try:
-                        subprocess.check_call(['rm', '-f', requestpath])
-                    except subprocess.CalledProcessError:
-                        LOG.warn('Failed to rm %s, out of ideas\n' % 
requestpath)
-                        sys.stderr.write('Failed to rm %s, out of ideas\n' % 
requestpath)
-
-    if os.path.exists('/usr/bin/salt-key'):
-        # Delete salt keys for hosts that can't be found in ldap
-        salt_output = subprocess.check_output(['/usr/bin/salt-key',
-                                               '--list', 'unaccepted',
-                                               '--out', 'json'])
-        purgeSaltKeys(salt_output, "minions_pre")
-
-        # Purge accepted but unused keys
-        salt_output = subprocess.check_output(['/usr/bin/salt-key',
-                                               '--list', 'accepted',
-                                               '--out', 'json'])
-        purgeSaltKeys(salt_output, "minions")
-
-finally:
-    ds.unbind()
-
-LOG.debug('Certcleaner run complete')
diff --git a/modules/role/manifests/labs/puppetmaster.pp 
b/modules/role/manifests/labs/puppetmaster.pp
index 44c998e..cdd0f40 100644
--- a/modules/role/manifests/labs/puppetmaster.pp
+++ b/modules/role/manifests/labs/puppetmaster.pp
@@ -45,7 +45,6 @@
         minute  => '*/1',
     }
 
-    include ::puppetmaster::certcleaner
     if ! defined(Class['puppetmaster::certmanager']) {
         class { 'puppetmaster::certmanager':
             remote_cert_cleaner => hiera('labs_certmanager_hostname'),

-- 
To view, visit https://gerrit.wikimedia.org/r/316478
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9fb042ba6b37657b17d8a6cf3cc6095f508de3b1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to