[MediaWiki-commits] [Gerrit] operations/puppet[production]: Tools: Use exported resources for ssh host keys

Tue, 27 Dec 2016 20:30:38 -0800 

Tim Landscheidt has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/329382 )

Change subject: Tools: Use exported resources for ssh host keys
......................................................................

Tools: Use exported resources for ssh host keys

In the past, Tools used the central Labs puppetmaster that did not and
does not support exported resources.  Therefore each instance needed
to store its ssh host key on a NFS share where it was processed from
by all others.

Tools has since switched to its own puppetmaster where exported
resources are available.  This change makes use of that and shares ssh
host keys with the same manifests used in production.

As Labs instances do not have IPv6 addresses, this change also amends
the template for /etc/ssh/ssh_known_hosts to handle host aliases that
are undefined.

Bug: T153163
Change-Id: Iee22dab01af78f38103743644061e4387d254d12
---
M modules/ssh/manifests/client.pp
M modules/ssh/templates/known_hosts.erb
M modules/toollabs/manifests/init.pp
3 files changed, 24 insertions(+), 37 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/82/329382/1

diff --git a/modules/ssh/manifests/client.pp b/modules/ssh/manifests/client.pp
index 8cf8808..cbd7797 100644
--- a/modules/ssh/manifests/client.pp
+++ b/modules/ssh/manifests/client.pp
@@ -3,24 +3,23 @@
         ensure => present,
     }
 
-    # no exported resources on Labs == no sshknowngen
-    if $::realm == 'production' {
-        if $::use_puppetdb {
-            file { '/etc/ssh/ssh_known_hosts':
-                content => template('ssh/known_hosts.erb'),
-                backup  => false,
-                owner   => 'root',
-                group   => 'root',
-                mode    => '0644',
-            }
-        } else {
-            file { '/etc/ssh/ssh_known_hosts':
-                content => generate('/usr/local/bin/sshknowngen'),
-                backup  => false,
-                owner   => 'root',
-                group   => 'root',
-                mode    => '0644',
-            }
+    if $::use_puppetdb {
+        file { '/etc/ssh/ssh_known_hosts':
+            content => template('ssh/known_hosts.erb'),
+            backup  => false,
+            owner   => 'root',
+            group   => 'root',
+            mode    => '0644',
+        }
+    } elsif $::realm == 'production' {
+        # The central Labs puppetmaster does not support exported
+        # resources, so sshknowngen would not work there.
+        file { '/etc/ssh/ssh_known_hosts':
+            content => generate('/usr/local/bin/sshknowngen'),
+            backup  => false,
+            owner   => 'root',
+            group   => 'root',
+            mode    => '0644',
         }
     }
 }
diff --git a/modules/ssh/templates/known_hosts.erb 
b/modules/ssh/templates/known_hosts.erb
index 799114a..682fc11 100644
--- a/modules/ssh/templates/known_hosts.erb
+++ b/modules/ssh/templates/known_hosts.erb
@@ -2,7 +2,8 @@
 <%-
 scope.function_query_resources([false, '@@Sshkey', false, 'title asc']).each 
do |resource|
   parameters = resource['parameters']
-  aliases = parameters['host_aliases'].select{ |el| el !~ /^---/}.join(',')
+  aliases = parameters['host_aliases'].select{ |el| el !~ /^---/ && el != 
'undef'}.join(',')
+
   if parameters['ensure'] == 'present' -%>
 <%= resource['certname'] %>,<%= aliases %> <%= parameters['type'] %> <%= 
parameters['key'] %>
 <%-
diff --git a/modules/toollabs/manifests/init.pp 
b/modules/toollabs/manifests/init.pp
index a590802..a170340 100644
--- a/modules/toollabs/manifests/init.pp
+++ b/modules/toollabs/manifests/init.pp
@@ -70,28 +70,15 @@
         require => File[$sysdir],
     }
 
+    # TODO: Remove after Puppet cycle.
     file { "${store}/hostkey-${::fqdn}":
-        ensure  => file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0444',
-        content => "${::fqdn},${::hostname},${::ipaddress} ssh-rsa 
${::sshrsakey}\n${::fqdn},${::hostname},${::ipaddress} ecdsa-sha2-nistp256 
${::sshecdsakey}\n",
+        ensure  => absent,
         require => File[$store],
     }
 
-    exec { 'make_known_hosts':
-        command => "/bin/cat ${store}/hostkey-* >/etc/ssh/ssh_known_hosts~",
-        onlyif  => "/usr/bin/test -n \"\$(/usr/bin/find ${store} -maxdepth 1 
\\( -type d -or -type f -name hostkey-\\* \\) -newer 
/etc/ssh/ssh_known_hosts~)\" -o ! -s /etc/ssh/ssh_known_hosts~",
-        require => File[$store],
-    }
-
-    file { '/etc/ssh/ssh_known_hosts':
-        ensure  => file,
-        source  => '/etc/ssh/ssh_known_hosts~',
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0444',
-        require => Exec['make_known_hosts'],
+    # TODO: Remove after Puppet cycle.
+    file { '/etc/ssh/ssh_known_hosts~':
+        ensure => absent,
     }
 
     File['/var/lib/gridengine'] -> Package <| title == 'gridengine-common' |>

-- 
To view, visit https://gerrit.wikimedia.org/r/329382
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iee22dab01af78f38103743644061e4387d254d12
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to