Alexandros Kosiaris has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/392564 )
Change subject: ganeti: create profiles, split monitoring/firewall classes
......................................................................
ganeti: create profiles, split monitoring/firewall classes
Splits the single role class into 3 separate profiles, base
firewall and monitoring.
Removes style violations.
Change-Id: Ic930b7e63644acc74aa6b803a9360628803dc782
---
M hieradata/role/common/ganeti.yaml
R modules/profile/files/ganeti/id_dsa.pub
A modules/profile/manifests/ganeti.pp
M modules/role/manifests/ganeti.pp
4 files changed, 116 insertions(+), 101 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/role/common/ganeti.yaml
b/hieradata/role/common/ganeti.yaml
index b98d368..5337da3 100644
--- a/hieradata/role/common/ganeti.yaml
+++ b/hieradata/role/common/ganeti.yaml
@@ -1,6 +1,6 @@
profile::base::ssh_server_settings:
authorized_keys_file: /etc/ssh/userkeys/%u /etc/ssh/userkeys/%u.d/cumin
/etc/ssh/userkeys/%u.d/ganeti
-ganeti::ganeti01.svc.codfw.wmnet::nodes:
+profile::ganeti::ganeti01.svc.codfw.wmnet::nodes:
- ganeti2001.codfw.wmnet
- ganeti2002.codfw.wmnet
- ganeti2003.codfw.wmnet
@@ -9,7 +9,7 @@
- ganeti2006.codfw.wmnet
- ganeti2007.codfw.wmnet
- ganeti2008.codfw.wmnet
-ganeti::ganeti01.svc.eqiad.wmnet::nodes:
+profile::ganeti::ganeti01.svc.eqiad.wmnet::nodes:
- ganeti1001.eqiad.wmnet
- ganeti1002.eqiad.wmnet
- ganeti1003.eqiad.wmnet
diff --git a/modules/role/files/ganeti/id_dsa.pub
b/modules/profile/files/ganeti/id_dsa.pub
similarity index 100%
rename from modules/role/files/ganeti/id_dsa.pub
rename to modules/profile/files/ganeti/id_dsa.pub
diff --git a/modules/profile/manifests/ganeti.pp
b/modules/profile/manifests/ganeti.pp
new file mode 100644
index 0000000..df41173
--- /dev/null
+++ b/modules/profile/manifests/ganeti.pp
@@ -0,0 +1,111 @@
+class profile::ganeti (
+ # Interpolate the ganeti_cluster fact to get the list of nodes in a
+ # cluster
+ $ganeti_nodes = hiera("profile::ganeti::${::ganeti_cluster}::nodes"),
+) {
+
+ class { '::ganeti': }
+
+ # Ganeti hosts have KSM enabled. So get stats about it
+ diamond::collector { 'KSM': }
+
+ # Ganeti needs intracluster SSH root access
+ ssh::userkey { 'root-ganeti':
+ ensure => present,
+ user => 'root',
+ skey => 'ganeti',
+ source => 'puppet:///modules/profile/ganeti/id_dsa.pub',
+ }
+
+ # And the private key
+ file { '/root/.ssh/id_dsa':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0400',
+ content => secret('ganeti/id_dsa'),
+ show_diff => false,
+ }
+ # This is here for completeness
+ file { '/root/.ssh/id_dsa.pub':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0400',
+ source => 'puppet:///modules/profile/ganeti/id_dsa.pub',
+ }
+
+ # If ganeti_cluster fact is not defined, the node has not been added to a
+ # cluster yet, so don't monitor and don't setup a firewall.
+ if $facts['ganeti_cluster'] {
+
+ # Monitoring
+ nrpe::monitor_service{ 'ganeti-noded':
+ description => 'ganeti-noded running',
+ nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:2 -c 1:2
-u root -C ganeti-noded'
+ }
+
+ nrpe::monitor_service{ 'ganeti-confd':
+ description => 'ganeti-confd running',
+ nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1
-u gnt-confd -C ganeti-confd'
+ }
+
+ nrpe::monitor_service{ 'ganeti-mond':
+ description => 'ganeti-mond running',
+ nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1
-u root -C ganeti-mond'
+ }
+
+ # Firewalling
+ $ganeti_ferm_nodes = join($ganeti_nodes, ' ')
+
+ # Same ganeti actions require SSH
+ ferm::service { 'ganeti_ssh_cluster':
+ proto => 'tcp',
+ port => 'ssh',
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+
+ # RAPI is the API of ganeti
+ ferm::service { 'ganeti_rapi_cluster':
+ proto => 'tcp',
+ port => 5080,
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+
+ # Ganeti noded is responsible for all cluster/node actions
+ ferm::service { 'ganeti_noded_cluster':
+ proto => 'tcp',
+ port => 1811,
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+
+ # Ganeti confd provides a HA and fast way to query cluster
configuration
+ ferm::service { 'ganeti_confd_cluster':
+ proto => 'udp',
+ port => 1814,
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+
+ # Ganeti mond is the monitoring daemon. Data is available via port 1815
+ ferm::service { 'ganeti_mond_cluster':
+ proto => 'tcp',
+ port => 1815,
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+
+ # DRBD is used for HA of disk images. Port range for ganeti is
+ # 11000-14999
+ ferm::service { 'ganeti_drbd':
+ proto => 'tcp',
+ port => '11000:14999',
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+
+ # Migration is done over TCP port
+ ferm::service { 'ganeti_migration':
+ proto => 'tcp',
+ port => 8102,
+ srange => "@resolve((${ganeti_ferm_nodes}))",
+ }
+ }
+}
diff --git a/modules/role/manifests/ganeti.pp b/modules/role/manifests/ganeti.pp
index 0d4075f..b43902a 100644
--- a/modules/role/manifests/ganeti.pp
+++ b/modules/role/manifests/ganeti.pp
@@ -1,107 +1,11 @@
# Role classes for ganeti
class role::ganeti {
- include ::standard
- include ::ganeti
- # Ganeti hosts have KSM enabled. So get stats about it
- diamond::collector { 'KSM': }
system::role { 'ganeti':
description => 'Ganeti Node',
}
- # Ganeti needs intracluster SSH root access
- ssh::userkey { 'root-ganeti':
- ensure => present,
- user => 'root',
- skey => 'ganeti',
- source => 'puppet:///modules/role/ganeti/id_dsa.pub',
- }
-
- # And the private key
- file { '/root/.ssh/id_dsa':
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0400',
- content => secret('ganeti/id_dsa'),
- show_diff => false,
- }
- # This is here for completeness
- file { '/root/.ssh/id_dsa.pub':
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0400',
- source => 'puppet:///modules/role/ganeti/id_dsa.pub',
- }
-
- # If ganeti_cluster fact is not defined, the node has not been added to a
- # cluster yet, so don't monitor and don't setup a firewall
- if $::ganeti_cluster {
- include ::base::firewall
- # Interpolate the ganeti_cluster fact to get the list of nodes in a
- # cluster
- $ganeti_nodes = hiera("ganeti::${::ganeti_cluster}::nodes")
- $ganeti_ferm_nodes = join($ganeti_nodes, ' ')
-
- # Same ganeti actions require SSH
- ferm::service { 'ganeti_ssh_cluster':
- proto => 'tcp',
- port => 'ssh',
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
- # RAPI is the API of ganeti
- ferm::service { 'ganeti_rapi_cluster':
- proto => 'tcp',
- port => 5080,
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
- # Ganeti noded is responsible for all cluster/node actions
- ferm::service { 'ganeti_noded_cluster':
- proto => 'tcp',
- port => 1811,
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
- nrpe::monitor_service{ 'ganeti-noded':
- description => 'ganeti-noded running',
- nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:2 -c 1:2
-u root -C ganeti-noded'
- }
-
- # Ganeti confd provides a HA and fast way to query cluster
configuration
- ferm::service { 'ganeti_confd_cluster':
- proto => 'udp',
- port => 1814,
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
- nrpe::monitor_service{ 'ganeti-confd':
- description => 'ganeti-confd running',
- nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1
-u gnt-confd -C ganeti-confd'
- }
-
- # Ganeti mond is the monitoring daemon. Data is available via port 1815
- ferm::service { 'ganeti_mond_cluster':
- proto => 'tcp',
- port => 1815,
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
- nrpe::monitor_service{ 'ganeti-mond':
- description => 'ganeti-mond running',
- nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1
-u root -C ganeti-mond'
- }
-
- # DRBD is used for HA of disk images. Port range for ganeti is
- # 11000-14999
- ferm::service { 'ganeti_drbd':
- proto => 'tcp',
- port => '11000:14999',
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
-
- # Migration is done over TCP port
- ferm::service { 'ganeti_migration':
- proto => 'tcp',
- port => 8102,
- srange => "@resolve((${ganeti_ferm_nodes}))",
- }
- }
+ include ::standard
+ include ::profile::ganeti
+ include ::profile::base::firewall
}
--
To view, visit https://gerrit.wikimedia.org/r/392564
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ic930b7e63644acc74aa6b803a9360628803dc782
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
