Ottomata has submitted this change and it was merged.
Change subject: Refactoring puppetmaster::self to allow for puppet clients.
......................................................................
Refactoring puppetmaster::self to allow for puppet clients.
You should now use role::puppet::self instead.
puppetmaster::self is retained for backwards compatiblity.
Woowee, let's see if this works!
Change-Id: I7d8d68684e726c79d56e9027423590b94957cbcd
---
M manifests/puppetmaster.pp
M manifests/role/puppet.pp
M templates/puppet/fileserver-self.conf.erb
M templates/puppet/puppet.conf.d/10-self.conf.erb
4 files changed, 302 insertions(+), 140 deletions(-)
Approvals:
coren: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/puppetmaster.pp b/manifests/puppetmaster.pp
index 6a922de..170af01 100644
--- a/manifests/puppetmaster.pp
+++ b/manifests/puppetmaster.pp
@@ -392,146 +392,108 @@
}
-# Class: puppetmaster::self
#
-# This configures a single system as both puppet client and puppet master.
-# Such a config is useful for puppet development as it allows testing
-# and debugging in one place.
+# Below are classes used to configure self hosted puppet
+# on labs instances. role::puppet::self (in puppet.pp)
+# is the recommended class to use. Please use it to
+# include these classes.
#
-# The puppet files and manifests are checked out in $gitdir/operations/puppet
-# where they can be modified and then re-applied to the instance via
-# puppetd -tv.
-#
-# This class should probably only be used on temporary labs instances.
+
+# == Class puppetmaster::self
+# Wrapper class for puppet::self::master
+# with server => localhost. This is
+# maintained for backwards compatibility.
+# Please use role::puppet::self
+# in roles/puppet.pp instead.
#
class puppetmaster::self {
+ class { 'puppet::self::master':
+ server => 'localhost',
+ }
+}
- class config inherits base::puppet {
- include role::ldap::config::labs
+# == Class puppet::self::client
+# Sets up a node as a puppet client with
+# $server as the puppetmaster.
+#
+# == Parameters
+# $server - hostname of the puppetmaster.
+#
+class puppet::self::client($server) {
+ system_role { 'puppetclient':
+ description => "Puppet client of ${server}"
+ }
- $ldapconfig = $role::ldap::config::labs::ldapconfig
- $basedn = $ldapconfig["basedn"]
+ # Most of the defaults in puppet::self::config
+ # are good for setting up a puppet client.
+ class { 'puppet::self::config':
+ server => $server,
+ }
+}
- $config = {
- 'dbadapter' => "sqlite3",
- 'node_terminus' => "ldap",
- 'ldapserver' => $ldapconfig["servernames"][0],
- 'ldapbase' => "ou=hosts,${basedn}",
- 'ldapstring' =>
"(&(objectclass=puppetClient)(associatedDomain=%s))",
- 'ldapuser' => $ldapconfig["proxyagent"],
- 'ldappassword' => $ldapconfig["proxypass"],
- 'ldaptls' => true
- }
-
- File["/etc/puppet/puppet.conf.d/10-main.conf"] {
- ensure => absent
- }
-
- file { "/etc/puppet/puppet.conf.d/10-self.conf":
- require => File["/etc/puppet/puppet.conf.d"],
- owner => root,
- group => root,
- mode => 0444,
- content =>
template("puppet/puppet.conf.d/10-self.conf.erb"),
- notify => Exec["compile puppet.conf"];
- }
-
- file { "/etc/puppet/fileserver.conf":
- owner => root,
- group => root,
- mode => 0444,
- content => template("puppet/fileserver-self.conf.erb")
- }
-
- $gitdir = "/var/lib/git"
- file { "/etc/puppet/private":
- ensure => link,
- target => "$gitdir/labs/private",
- force => true,
- }
- file { "/etc/puppet/templates":
- ensure => link,
- target => "$gitdir/operations/puppet/templates",
- force => true,
- }
- file { "/etc/puppet/files":
- ensure => link,
- target => "$gitdir/operations/puppet/files",
- force => true,
- }
- file { "/etc/puppet/manifests":
- ensure => link,
- target => "$gitdir/operations/puppet/manifests",
- force => true,
- }
- file { "/etc/puppet/modules":
- ensure => link,
- target => "$gitdir/operations/puppet/modules",
- force => true,
+# == Class puppet::self::master
+# Sets up a node as a puppetmaster.
+# If server => localhost, then this node will
+# be set up to only act as a puppetmaster for itself.
+# Otherwise, this server will be able to act as a puppetmaster
+# for any labs nodes that are configured using the puppet::self::client
+# class with $server set to this nodes $::fqdn.
+#
+# This class will clone the operations/puppet git repository
+# and set it up with proper symlinks in /etc/puppet.
+#
+# == Parameters
+# $server - hostname of the puppetmaster.
+#
+class puppet::self::master($server) {
+ system_role { 'puppetmaster':
+ description => $server ? {
+ 'localhost' => 'Puppetmaster for itself',
+ default => 'Puppetmaster for project labs
instances',
}
}
- class gitclone {
- $gitdir = "/var/lib/git"
+ # If localhost, only bind to loopback.
+ $bindaddress = $server ? {
+ 'localhost' => '127.0.0.1',
+ default => $::ipaddress,
+ }
- file { "$gitdir":
- ensure => directory,
- owner => root,
- group =>root,
- }
- file { "$gitdir/operations":
- ensure => directory,
- owner => root,
- group => root,
- }
- file { "$gitdir/labs":
- ensure => directory,
- # private repo resides here, so enforce some perms
- owner => root,
- group => puppet,
- mode => 0640,
- }
-
- file { "$gitdir/ssh":
- ensure => file,
- owner => root,
- group => root,
- mode => 0755,
- # FIXME: ok, this sucks. ew. ewww.
- content => "#!/bin/sh\nexec ssh -o
StrictHostKeyChecking=no -i $gitdir/labs-puppet-key \$*\n",
- require => File["$gitdir/labs-puppet-key"],
- }
- file { "$gitdir/labs-puppet-key":
- ensure => file,
- owner => root,
- group => root,
- mode => 0600,
- source => "puppet:///private/ssh/labs-puppet-key",
- }
-
- git::clone { "operations/puppet":
- directory => "$gitdir/operations/puppet",
- branch => "production",
- origin =>
"https://gerrit.wikimedia.org/r/operations/puppet.git";,
- require => File["$gitdir/operations"],
- }
- git::clone { "labs/private":
- directory => "$gitdir/labs/private",
- origin =>
"ssh://[email protected]:29418/labs/private.git",
- ssh => "$gitdir/ssh",
- require => [ File["$gitdir/labs"],
File["$gitdir/ssh"] ],
+ # If localhost, only allow this node.
+ # Else allow the labs subnet.
+ $puppet_client_subnet = $server ? {
+ 'localhost' => '127.0.0.1',
+ default => $::site ? {
+ 'pmtpa' => '10.4.0.0/21',
+ 'eqiad' => undef, # eqiad does not have labs yet.
}
}
- system_role { "puppetmaster": description => "Puppetmaster for itself" }
-
- include config
- include gitclone
-
- package { [ "vim-puppet", "puppet-el", "rails" ]:
- ensure => present,
+ # If localhost, then just name the cert 'localhost'.
+ # Else certname should be the labs instanceid. ($dc comes from ldap.)
+ $certname = $server ? {
+ 'localhost' => 'localhost',
+ default => "${dc}.${::domain}"
}
- package { [ "libsqlite3-ruby", "libldap-ruby1.8" ]:
+
+ class { 'puppet::self::config':
+ is_puppetmaster => true,
+ server => $server,
+ bindaddress => $bindaddress,
+ puppet_client_subnet => $puppet_client_subnet,
+ certname => $certname,
+ }
+ class { 'puppet::self::gitclone':
+ require => Class['puppet::self::config'],
+ }
+
+ package { [
+ "vim-puppet",
+ "puppet-el",
+ "rails",
+ "libsqlite3-ruby",
+ "libldap-ruby1.8",
+ ]:
ensure => present,
}
@@ -543,15 +505,166 @@
Package['rails'],
Package['libsqlite3-ruby'],
Package['libldap-ruby1.8'],
- Class['config'],
- Class['gitclone'],
+ Class['puppet::self::config'],
+ Class['puppet::self::gitclone'],
],
}
- class { "puppetmaster::ssl":
- server_name => $fqdn,
+ class { 'puppetmaster::ssl':
+ server_name => $::fqdn,
ca => true
}
+ service { 'puppetmaster':
+ ensure => 'running',
+ require => Package['puppetmaster'],
+ }
+
include puppetmaster::scripts
}
+
+
+# == Class puppet::self::config
+# Configures variables and puppet config files
+# for either self puppetmasters or self puppet clients.
+# This inherits from base::puppet in order to override
+# default puppet config files.
+#
+# == Parameters
+# $server - hostname of the puppetmaster.
+# $is_puppetmaster - true or false. Default: false.
+# $bindaddress - address to which a puppetmaster should listen. Unused if
$is_puppetmaster is false.
+# $puppet_client_subnet - Network from which to allow fileserver connections.
Unused if $is_puppetmaster is false.
+# $certname - Name of the puppet CA certificate. Default: "$dc.$domain", e.g.
the labs instance name: i-00000699.pmtpa.wmflabs.
+#
+class puppet::self::config(
+ $server,
+ $is_puppetmaster = false,
+ $bindaddress = undef,
+ $puppet_client_subnet = undef,
+ $certname = "${dc}.${::domain}") inherits base::puppet
+{
+ include role::ldap::config::labs
+
+ $ldapconfig = $role::ldap::config::labs::ldapconfig
+ $basedn = $ldapconfig['basedn']
+
+ $config = {
+ 'dbadapter' => 'sqlite3',
+ 'node_terminus' => 'ldap',
+ 'ldapserver' => $ldapconfig['servernames'][0],
+ 'ldapbase' => "ou=hosts,${basedn}",
+ 'ldapstring' =>
'(&(objectclass=puppetClient)(associatedDomain=%s))',
+ 'ldapuser' => $ldapconfig['proxyagent'],
+ 'ldappassword' => $ldapconfig['proxypass'],
+ 'ldaptls' => true
+ }
+
+ File['/etc/puppet/puppet.conf.d/10-main.conf'] {
+ ensure => absent,
+ }
+
+ file { '/etc/puppet/puppet.conf.d/10-self.conf':
+ owner => root,
+ group => root,
+ mode => 0444,
+ content => template('puppet/puppet.conf.d/10-self.conf.erb'),
+ require => [File['/etc/puppet/puppet.conf.d'],
File['/etc/puppet/puppet.conf.d/10-main.conf']],
+ notify => Exec['compile puppet.conf'];
+ }
+
+ file { '/etc/puppet/fileserver.conf':
+ owner => root,
+ group => root,
+ mode => 0444,
+ content => template('puppet/fileserver-self.conf.erb'),
+ ensure => $is_puppetmaster ? {
+ true => 'file',
+ default => absent,
+ }
+ }
+
+}
+
+
+# == Class puppet::self::gitclone
+# Clones the operations/puppet repository
+# for use by puppet::self::masters.
+#
+class puppet::self::gitclone {
+ $gitdir = '/var/lib/git'
+
+ file { $gitdir:
+ ensure => directory,
+ owner => root,
+ group =>root,
+ }
+ file { "${gitdir}/operations":
+ ensure => directory,
+ owner => root,
+ group => root,
+ }
+ file { "${gitdir}/labs":
+ ensure => directory,
+ # private repo resides here, so enforce some perms
+ owner => root,
+ group => puppet,
+ mode => 0640,
+ }
+
+ file { "${gitdir}/ssh":
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => 0755,
+ # FIXME: ok, this sucks. ew. ewww.
+ content => "#!/bin/sh\nexec ssh -o StrictHostKeyChecking=no -i
${gitdir}/labs-puppet-key \$*\n",
+ require => File["${gitdir}/labs-puppet-key"],
+ }
+ file { "${gitdir}/labs-puppet-key":
+ ensure => file,
+ owner => root,
+ group => root,
+ mode => 0600,
+ source => 'puppet:///private/ssh/labs-puppet-key',
+ }
+
+ git::clone { 'operations/puppet':
+ directory => "${gitdir}/operations/puppet",
+ branch => 'production',
+ origin =>
'https://gerrit.wikimedia.org/r/operations/puppet.git',
+ require => File["${gitdir}/operations"],
+ }
+ git::clone { 'labs/private':
+ directory => "${gitdir}/labs/private",
+ origin =>
'ssh://[email protected]:29418/labs/private.git',
+ ssh => "${gitdir}/ssh",
+ require => [ File["${gitdir}/labs"], File["${gitdir}/ssh"] ],
+ }
+
+ file { '/etc/puppet/private':
+ ensure => link,
+ target => "${gitdir}/labs/private",
+ force => true,
+ }
+ file { '/etc/puppet/templates':
+ ensure => link,
+ target => "${gitdir}/operations/puppet/templates",
+ force => true,
+ }
+ file { '/etc/puppet/files':
+ ensure => link,
+ target => "${gitdir}/operations/puppet/files",
+ force => true,
+ }
+ file { '/etc/puppet/manifests':
+ ensure => link,
+ target => "${gitdir}/operations/puppet/manifests",
+ force => true,
+ }
+ file { '/etc/puppet/modules':
+ ensure => link,
+ target => "${gitdir}/operations/puppet/modules",
+ force => true,
+ }
+}
diff --git a/manifests/role/puppet.pp b/manifests/role/puppet.pp
index 8ead085..ba3e7eb 100644
--- a/manifests/role/puppet.pp
+++ b/manifests/role/puppet.pp
@@ -34,3 +34,42 @@
};
}
}
+
+
+# == Class role::puppet::self
+# Wrapper class for puppet::self::master
+# and puppet::self::client.
+# If $::puppetmaster is localhost or matches the $::fqdn of this node,
+# then this node will be configured as a puppetmaster.
+# NOTE: $::puppetmaster == 'localhost' (or undef) does the exact same
+# thing as the original puppetmaster::self class used to do.
+#
+# $::puppetmaster must be set as a global variable.
+# This allows puppet classes to be configured via LDAP
+# and labsconsole instance configuration.
+#
+class role::puppet::self {
+ # If $::puppetmaster is not set, assume
+ # this is a self hosted puppetmaster, not allowed
+ # to serve any other puppet clients.
+ $server = $::puppetmaster ? {
+ undef => 'localhost',
+ 'localhost' => 'localhost',
+ '' => 'localhost',
+ default => "${::puppetmaster}.${domain}",
+ }
+
+ # If localhost or if $server matches this node's
+ # $fqdn, then this is a puppetmaster.
+ if ($server == 'localhost' or $server == $::fqdn) {
+ class { 'puppet::self::master':
+ server => $server,
+ }
+ }
+ # Else this is a puppet client.
+ else {
+ class { 'puppet::self::client':
+ server => $server,
+ }
+ }
+}
diff --git a/templates/puppet/fileserver-self.conf.erb
b/templates/puppet/fileserver-self.conf.erb
index 482e8f3..2120a0f 100644
--- a/templates/puppet/fileserver-self.conf.erb
+++ b/templates/puppet/fileserver-self.conf.erb
@@ -7,23 +7,23 @@
# over deny
[files]
path /etc/puppet/files
- allow 127.0.0.1
+ allow <%= puppet_client_subnet %>
[plugins]
- allow 127.0.0.1
+ allow <%= puppet_client_subnet %>
[private]
path /etc/puppet/private/files
- allow 127.0.0.1
+ allow <%= puppet_client_subnet %>
[facts]
path /var/lib/puppet/facts
- allow 127.0.0.1
+ allow <%= puppet_client_subnet %>
[volatile]
path /var/lib/puppet/volatile
- allow 127.0.0.1
+ allow <%= puppet_client_subnet %>
[software]
path /etc/puppet/software
- allow 127.0.0.1
+ allow <%= puppet_client_subnet %>
diff --git a/templates/puppet/puppet.conf.d/10-self.conf.erb
b/templates/puppet/puppet.conf.d/10-self.conf.erb
index 605148a..2e72e0a 100644
--- a/templates/puppet/puppet.conf.d/10-self.conf.erb
+++ b/templates/puppet/puppet.conf.d/10-self.conf.erb
@@ -3,23 +3,32 @@
[main]
logdir = /var/log/puppet
vardir = /var/lib/puppet
-ssldir = /var/lib/puppet/server/ssl
+ssldir = <%= is_puppetmaster ? '/var/lib/puppet/server/ssl' :
'/var/lib/puppet/ssl' %>
rundir = /var/run/puppet
factpath = $vardir/lib/facter
[agent]
-server = localhost
+server = <%= server %>
configtimeout = 480
splay = true
prerun_command = /etc/puppet/etckeeper-commit-pre
postrun_command = /etc/puppet/etckeeper-commit-post
pluginsync = false
report = true
+<%
+# only set agent certname if not 'localhost',
+# i.e. not single self hosted puppetmaster. (The original
+# puppetmaster::self did not explicitly set an agent certname.)
+if certname != 'localhost'
+-%>
+certname = <%= certname %>
+<% end -%>
+<% if is_puppetmaster -%>
[master]
-bindaddress = 127.0.0.1
+bindaddress = <%= bindaddress %>
ca_md = sha1
-certname = localhost
+certname = <%= certname %>
thin_storeconfigs = true
templatedir = /etc/puppet/templates
@@ -30,6 +39,7 @@
hostcert = /var/lib/puppet/server/ssl/certs/<%= fqdn %>.pem
hostprivkey = /var/lib/puppet/server/ssl/private_keys/<%= fqdn %>.pem
-<% scope.lookupvar('puppetmaster::self::config::config').sort.each do
|setting, value| -%>
+<% scope.lookupvar('puppet::self::config::config').sort.each do |setting,
value| -%>
<%= setting %> = <%= value %>
<% end -%>
+<% end -%>
\ No newline at end of file
--
To view, visit https://gerrit.wikimedia.org/r/58540
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7d8d68684e726c79d56e9027423590b94957cbcd
Gerrit-PatchSet: 14
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <[email protected]>
Gerrit-Reviewer: Faidon <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: Ryan Lane <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
