Tim Landscheidt has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/329382 )
Change subject: Tools: Use exported resources for ssh host keys ...................................................................... Tools: Use exported resources for ssh host keys In the past, Tools used the central Labs puppetmaster that did not and does not support exported resources. Therefore each instance needed to store its ssh host key on a NFS share where it was processed from by all others. Tools has since switched to its own puppetmaster where exported resources are available. This change makes use of that and shares ssh host keys with the same manifests used in production. As Labs instances do not have IPv6 addresses, this change also amends the template for /etc/ssh/ssh_known_hosts to handle host aliases that are undefined. Bug: T153163 Change-Id: Iee22dab01af78f38103743644061e4387d254d12 --- M modules/ssh/manifests/client.pp M modules/ssh/templates/known_hosts.erb M modules/toollabs/manifests/init.pp 3 files changed, 24 insertions(+), 37 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/82/329382/1 diff --git a/modules/ssh/manifests/client.pp b/modules/ssh/manifests/client.pp index 8cf8808..cbd7797 100644 --- a/modules/ssh/manifests/client.pp +++ b/modules/ssh/manifests/client.pp @@ -3,24 +3,23 @@ ensure => present, } - # no exported resources on Labs == no sshknowngen - if $::realm == 'production' { - if $::use_puppetdb { - file { '/etc/ssh/ssh_known_hosts': - content => template('ssh/known_hosts.erb'), - backup => false, - owner => 'root', - group => 'root', - mode => '0644', - } - } else { - file { '/etc/ssh/ssh_known_hosts': - content => generate('/usr/local/bin/sshknowngen'), - backup => false, - owner => 'root', - group => 'root', - mode => '0644', - } + if $::use_puppetdb { + file { '/etc/ssh/ssh_known_hosts': + content => template('ssh/known_hosts.erb'), + backup => false, + owner => 'root', + group => 'root', + mode => '0644', + } + } elsif $::realm == 'production' { + # The central Labs puppetmaster does not support exported + # resources, so sshknowngen would not work there. + file { '/etc/ssh/ssh_known_hosts': + content => generate('/usr/local/bin/sshknowngen'), + backup => false, + owner => 'root', + group => 'root', + mode => '0644', } } } diff --git a/modules/ssh/templates/known_hosts.erb b/modules/ssh/templates/known_hosts.erb index 799114a..682fc11 100644 --- a/modules/ssh/templates/known_hosts.erb +++ b/modules/ssh/templates/known_hosts.erb @@ -2,7 +2,8 @@ <%- scope.function_query_resources([false, '@@Sshkey', false, 'title asc']).each do |resource| parameters = resource['parameters'] - aliases = parameters['host_aliases'].select{ |el| el !~ /^---/}.join(',') + aliases = parameters['host_aliases'].select{ |el| el !~ /^---/ && el != 'undef'}.join(',') + if parameters['ensure'] == 'present' -%> <%= resource['certname'] %>,<%= aliases %> <%= parameters['type'] %> <%= parameters['key'] %> <%- diff --git a/modules/toollabs/manifests/init.pp b/modules/toollabs/manifests/init.pp index a590802..a170340 100644 --- a/modules/toollabs/manifests/init.pp +++ b/modules/toollabs/manifests/init.pp @@ -70,28 +70,15 @@ require => File[$sysdir], } + # TODO: Remove after Puppet cycle. file { "${store}/hostkey-${::fqdn}": - ensure => file, - owner => 'root', - group => 'root', - mode => '0444', - content => "${::fqdn},${::hostname},${::ipaddress} ssh-rsa ${::sshrsakey}\n${::fqdn},${::hostname},${::ipaddress} ecdsa-sha2-nistp256 ${::sshecdsakey}\n", + ensure => absent, require => File[$store], } - exec { 'make_known_hosts': - command => "/bin/cat ${store}/hostkey-* >/etc/ssh/ssh_known_hosts~", - onlyif => "/usr/bin/test -n \"\$(/usr/bin/find ${store} -maxdepth 1 \\( -type d -or -type f -name hostkey-\\* \\) -newer /etc/ssh/ssh_known_hosts~)\" -o ! -s /etc/ssh/ssh_known_hosts~", - require => File[$store], - } - - file { '/etc/ssh/ssh_known_hosts': - ensure => file, - source => '/etc/ssh/ssh_known_hosts~', - owner => 'root', - group => 'root', - mode => '0444', - require => Exec['make_known_hosts'], + # TODO: Remove after Puppet cycle. + file { '/etc/ssh/ssh_known_hosts~': + ensure => absent, } File['/var/lib/gridengine'] -> Package <| title == 'gridengine-common' |> -- To view, visit https://gerrit.wikimedia.org/r/329382 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iee22dab01af78f38103743644061e4387d254d12 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits