system-config/modules/openstack_project/manifests/server.pp

# == Class: openstack_project::server
#
# A server that we expect to run for some time
class openstack_project::server (
  $iptables_public_tcp_ports = [],
  $iptables_public_udp_ports = [],
  $iptables_rules4           = [],
  $iptables_rules6           = [],
  $sysadmins                 = [],
  $certname                  = $::fqdn,
  $pin_puppet                = '3.',
  $ca_server                 = undef,
  $enable_unbound            = true,
  $afs                       = false,
  $afs_cache_size            = 500000,
  $puppetmaster_server       = 'puppetmaster.openstack.org',
  $manage_exim               = true,
  $pypi_index_url            = 'https://pypi.python.org/simple',
  $purge_apt_sources         = true,
) {
  include openstack_project::params

  if $::osfamily == 'Debian' {
     # Purge and augment existing /etc/apt/sources.list if requested, and make
     # sure apt-get update is run before any packages are installed
     class { '::apt':
       purge => { 'sources.list' => $purge_apt_sources }
     }
     if $purge_apt_sources == true {
       file { '/etc/apt/sources.list.d/openstack-infra.list':
         ensure => present,
         group  => 'root',
         mode   => '0444',
         owner  => 'root',
         source => "puppet:///modules/openstack_project/sources.list.${::lsbdistcodename}",
       }
       exec { 'update-apt':
           command     => 'apt-get update',
           refreshonly => true,
           path        => '/bin:/usr/bin',
           subscribe   => File['/etc/apt/sources.list.d/openstack-infra.list'],
       }
       Exec['update-apt'] -> Package <| |>
     }
   }

  package { $::openstack_project::params::packages:
    ensure => present
  }

  ###########################################################
  # Manage  ntp

  include '::ntp'

  if ($::osfamily == "RedHat") {
    # Utils in ntp-perl are included in Debian's ntp package; we
    # add it here for consistency.  See also
    # https://tickets.puppetlabs.com/browse/MODULES-3660
    package { 'ntp-perl':
      ensure => present
    }
    # NOTE(pabelanger): We need to ensure ntpdate service starts on boot for
    # centos-7.  Currently, ntpd explicitly require ntpdate to be running before
    # the sync process can happen in ntpd.  As a result, if ntpdate is not
    # running, ntpd will start but fail to sync because of DNS is not properly
    # setup.
    package { 'ntpdate':
      ensure => present,
    }
    service { 'ntpdate':
      enable => true,
      require => Package['ntpdate'],
    }
  }

  class { 'openstack_project::template':
    iptables_public_tcp_ports => $iptables_public_tcp_ports,
    iptables_public_udp_ports => $iptables_public_udp_ports,
    iptables_rules4           => $iptables_rules4,
    iptables_rules6           => $iptables_rules6,
    certname                  => $certname,
    pin_puppet                => $pin_puppet,
    ca_server                 => $ca_server,
    puppetmaster_server       => $puppetmaster_server,
    enable_unbound            => $enable_unbound,
    afs                       => $afs,
    afs_cache_size            => $afs_cache_size,
    manage_exim               => $manage_exim,
    sysadmins                 => $sysadmins,
    pypi_index_url            => $pypi_index_url,
  }

}
Cleanup openstack_project manifest lint errors. Now with extra unwrap! Change-Id: I7c622ffa77821f33f911793fc6b6cdaaba37904a Reviewed-on: https://review.openstack.org/15052 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins 2012-11-15 14:25:13 -08:00			`# == Class: openstack_project::server`
			`#`
Move OpenStack classes to openstack_project module Change-Id: Iafcd2e06c5b62e4cde5eccaab3173a20bb08a78d 2012-07-20 18:56:35 -07:00			`# A server that we expect to run for some time`
Use puppetmaster for slaves. Use puppet agent --test for puppet cron. We don't need the private ssh or gpg key on the slaves anymore. We do need the glance testing stuff, so stick that into hiera. Change-Id: If94fc3f150bf569efe9461f80d3565f9825eebce Reviewed-on: https://review.openstack.org/10851 Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins 2012-08-05 13:02:21 -05:00			`class openstack_project::server (`
			`$iptables_public_tcp_ports = [],`
Allow specification of public UDP ports The iptables class allowed specifying a list of public UDP ports, just like it has support for TCP. However, a couple of places needed to be updated to pass through the UDP port list to make it usable. Change-Id: I00764bf1d7baff862fa51a6cd03211fe9a29ecdd 2013-07-17 15:25:56 +00:00			`$iptables_public_udp_ports = [],`
Make iptables additional rules a list. A list of iptables commands that come after the "-A OPENSTACK-INPUT" bit. Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3 Reviewed-on: https://review.openstack.org/17172 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Approved: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins 2012-11-29 15:58:31 -08:00			`$iptables_rules4 = [],`
			`$iptables_rules6 = [],`
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins 2012-09-06 10:32:48 -07:00			`$sysadmins = [],`
Add node def for puppet3 master This change modifies install_puppet.sh to accept a --three option setting it to install the latest puppet available. It also creates a node definition for the puppetmaster.o.o node, the new 3 master, and the master of the future. Changes were made to various classes to allow the pinning to version 2.x to be turned off. Change-Id: I805d6dc50b9de0d8a99cf818d22d06c2dea6090a 2014-03-28 00:11:10 -07:00			`$certname = $::fqdn,`
Revert "Stop managing puppet apt pins" This reverts commit 5be2e2f18ac1f4489be760717519252ba20d4fba. Yay! We've sucessfully upgraded to puppet3 and the sun is shining! Start managing apt pins for puppet again, and also, set the default to be 3.x everywhere. Change-Id: I80db5b5e154a3849914aa348e1eabadd0a2ad936 2014-09-10 13:17:45 -07:00			`$pin_puppet = '3.',`
Allow site.pp to manage ca and ca_sever in puppet.conf This allows us to set ca = false and ca_server = <fqdn> on the new puppet 3 master. Change-Id: Iba189bdc4bfb22fd23052f2570f52133ea184126 2014-07-02 14:34:36 -07:00			`$ca_server = undef,`
Expose enable_unbound in openstack_project::server The openstack_project::template class has an $enable_unbound parameter that controls whether the unbound class is declared. Since openstack_project::server mostly just wraps the openstack_project::template class, we should be able to pass this parameter through openstack_project::server into openstack_project::template. The use case for allowing more control over unbound is that the InfraCloud baremetal nodes will use bifrost which sets up a dnsmasq during the install process. By default dnsmasq listens on localhost:53 which conflicts with unbound listening on the same interface and port. Currently bifrost doesn't allow us to configure the except-interface option in dnsmasq.conf, though adding that functionality is probably a valid alternative to this patch. Since we don't really need unbound when we control the dhcp server that assigns the domain-name-servers, it's easiest to just not include it. Change-Id: I6f7ea252950d78db55411133966eff3b18ef0ec9 2015-11-16 19:28:21 -08:00			`$enable_unbound = true,`
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41 2014-10-18 16:22:52 -07:00			`$afs = false,`
Set AFS cache size to 50G on mirrors Change-Id: I2cbb453156aef28722b3c8a51bf221d8da8b7e23 2016-01-23 19:45:59 -08:00			`$afs_cache_size = 500000,`
Configure puppetmaster server from manifest Currently the puppetmaster was hardcoded on a template. Add the matching vars to the manifests that use them, to make that setting configurable. Change-Id: I2b641ec11284f325c22c242fabba26d0433bf85b 2015-03-16 13:27:20 +01:00			`$puppetmaster_server = 'puppetmaster.openstack.org',`
Pass exim flag to template rather than exim class Now that the exim flag exists on template, use it in the server manifest. Change-Id: I07652ad88b77a9d551761dcae60208b571261bba 2015-05-14 16:48:10 -07:00			`$manage_exim = true,`
Don't hardcode pip.conf values In the same line as other changes, move settings of config file to template, and expose the settings on manifest, so it can be easily configurable. Depends-On: I78962555c9a9ec1a96ce19810a463a5d619b04f9 Change-Id: I673c9c177bf2fdb3e6428e3ad4252ee76b53309c 2015-06-10 07:47:11 +02:00			`$pypi_index_url = 'https://pypi.python.org/simple',`
Don't purge apt sources on infracloud Without this change, puppetting an infracloud machine from scratch results in an error[1]. The order of events that causes this issue is: 1) Puppet purges /etc/apt/sources.list, removing all of apt's knowledge of other sources 2) Puppet creates /etc/apt/sources.list.d/openstack-infra.list, but this will have no effect on apt's knowledge of other sources until an apt-get update is run 3) The puppet-openstack_extras module runs an exec to install the ubuntu-cloud-keyring package. (This is done with an exec type rather than a package type because it needs to be run before Exec['apt_update'] which is defined in the puppetlabs-apt module.) Since apt at this point knows of no apt sources in the world, it fails to find the package. 4) Apt-get update is run and the world is right again, so subsequent puppet runs or manual installs of ubuntu-cloud-keyring are confusingly successful. A potential fix for this is to create another exec resource that runs apt-get update after adding openstack-infra.list but before installing ubuntu-cloud-keyring, after which apt-get update will run once again. This is inefficient and ugly. Since on these particular nodes we control the base images, and the default apt sources list is sane and matches what we have set in openstack-infra.list anyway, we can just disable the purging of the original sources.list and there will no longer be any point during which apt has no sources. [1] http://paste.openstack.org/show/488079/ Change-Id: I2cb375979d55e612fe8acc4cc7abdd393f39c2b9 2016-02-24 10:50:08 -08:00			`$purge_apt_sources = true,`
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins 2012-09-06 10:32:48 -07:00			`) {`
Move package resources to o_p::server Once nodepool is building worker images with these packages already installed, we don't need to manage them in the common openstack_project::template class. This patch moves them over to openstack_project::server so that it is obvious that puppet doesn't need to manage them for both single-use workers and long-lived servers. Eventually the openstack_project::template class should be empty and we can remove it. Depends-On: Ie1a0aba57390c9c0b269b4cbb076090ae1de73a9 Change-Id: I31295cdf12941e4adcf87a73418df1d17d9ec3d2 2017-03-25 18:48:55 +01:00			`include openstack_project::params`

Move sources.list purging into o_p::server The single use nodepool workers don't need this, so let's slim down the template class by moving this logic into the server class. As we move away from running puppet to build images we should eventually end up with an empty template class that we can delete entirely. Change-Id: Ie65b2572dfdd74ffdefada57faaf03ff30ccd37f 2017-03-25 15:38:20 +01:00			`if $::osfamily == 'Debian' {`
			`# Purge and augment existing /etc/apt/sources.list if requested, and make`
			`# sure apt-get update is run before any packages are installed`
			`class { '::apt':`
			`purge => { 'sources.list' => $purge_apt_sources }`
			`}`
			`if $purge_apt_sources == true {`
			`file { '/etc/apt/sources.list.d/openstack-infra.list':`
			`ensure => present,`
			`group => 'root',`
			`mode => '0444',`
			`owner => 'root',`
			`source => "puppet:///modules/openstack_project/sources.list.${::lsbdistcodename}",`
			`}`
			`exec { 'update-apt':`
			`command => 'apt-get update',`
			`refreshonly => true,`
			`path => '/bin:/usr/bin',`
			`subscribe => File['/etc/apt/sources.list.d/openstack-infra.list'],`
			`}`
			`Exec['update-apt'] -> Package <\| \|>`
			`}`
			`}`
Move package resources to o_p::server Once nodepool is building worker images with these packages already installed, we don't need to manage them in the common openstack_project::template class. This patch moves them over to openstack_project::server so that it is obvious that puppet doesn't need to manage them for both single-use workers and long-lived servers. Eventually the openstack_project::template class should be empty and we can remove it. Depends-On: Ie1a0aba57390c9c0b269b4cbb076090ae1de73a9 Change-Id: I31295cdf12941e4adcf87a73418df1d17d9ec3d2 2017-03-25 18:48:55 +01:00
			`package { $::openstack_project::params::packages:`
			`ensure => present`
			`}`

Move NTP management into openstack_project::server Once nodepool is building images with NTP already installed and enabled, we don't need to manage it in the common openstack_project::template class. This patch moves them over to openstack_project::server so that it is obvious that puppet doesn't need to manage them for both single-use workers and long-lived servers. Eventually the openstack_project::template class should be empty and we can remove it. Depends-On: Iee6babc183dd12cc82ce76ddfde04f2d98ddc4d6 Change-Id: Ie808a5b62014716c8506506fd15f39dba06e76b6 2017-03-28 22:39:40 +02:00			`###########################################################`
			`# Manage ntp`

			`include '::ntp'`

			`if ($::osfamily == "RedHat") {`
			`# Utils in ntp-perl are included in Debian's ntp package; we`
			`# add it here for consistency. See also`
			`# https://tickets.puppetlabs.com/browse/MODULES-3660`
			`package { 'ntp-perl':`
			`ensure => present`
			`}`
			`# NOTE(pabelanger): We need to ensure ntpdate service starts on boot for`
			`# centos-7. Currently, ntpd explicitly require ntpdate to be running before`
			`# the sync process can happen in ntpd. As a result, if ntpdate is not`
			`# running, ntpd will start but fail to sync because of DNS is not properly`
			`# setup.`
			`package { 'ntpdate':`
			`ensure => present,`
			`}`
			`service { 'ntpdate':`
			`enable => true,`
			`require => Package['ntpdate'],`
			`}`
			`}`

Move OpenStack classes to openstack_project module Change-Id: Iafcd2e06c5b62e4cde5eccaab3173a20bb08a78d 2012-07-20 18:56:35 -07:00			`class { 'openstack_project::template':`
Use puppetmaster for slaves. Use puppet agent --test for puppet cron. We don't need the private ssh or gpg key on the slaves anymore. We do need the glance testing stuff, so stick that into hiera. Change-Id: If94fc3f150bf569efe9461f80d3565f9825eebce Reviewed-on: https://review.openstack.org/10851 Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins 2012-08-05 13:02:21 -05:00			`iptables_public_tcp_ports => $iptables_public_tcp_ports,`
Allow specification of public UDP ports The iptables class allowed specifying a list of public UDP ports, just like it has support for TCP. However, a couple of places needed to be updated to pass through the UDP port list to make it usable. Change-Id: I00764bf1d7baff862fa51a6cd03211fe9a29ecdd 2013-07-17 15:25:56 +00:00			`iptables_public_udp_ports => $iptables_public_udp_ports,`
Make iptables additional rules a list. A list of iptables commands that come after the "-A OPENSTACK-INPUT" bit. Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3 Reviewed-on: https://review.openstack.org/17172 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Approved: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins 2012-11-29 15:58:31 -08:00			`iptables_rules4 => $iptables_rules4,`
			`iptables_rules6 => $iptables_rules6,`
Cleanup openstack_project manifest lint errors. Now with extra unwrap! Change-Id: I7c622ffa77821f33f911793fc6b6cdaaba37904a Reviewed-on: https://review.openstack.org/15052 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins 2012-11-15 14:25:13 -08:00			`certname => $certname,`
Add node def for puppet3 master This change modifies install_puppet.sh to accept a --three option setting it to install the latest puppet available. It also creates a node definition for the puppetmaster.o.o node, the new 3 master, and the master of the future. Changes were made to various classes to allow the pinning to version 2.x to be turned off. Change-Id: I805d6dc50b9de0d8a99cf818d22d06c2dea6090a 2014-03-28 00:11:10 -07:00			`pin_puppet => $pin_puppet,`
Allow site.pp to manage ca and ca_sever in puppet.conf This allows us to set ca = false and ca_server = <fqdn> on the new puppet 3 master. Change-Id: Iba189bdc4bfb22fd23052f2570f52133ea184126 2014-07-02 14:34:36 -07:00			`ca_server => $ca_server,`
Configure puppetmaster server from manifest Currently the puppetmaster was hardcoded on a template. Add the matching vars to the manifests that use them, to make that setting configurable. Change-Id: I2b641ec11284f325c22c242fabba26d0433bf85b 2015-03-16 13:27:20 +01:00			`puppetmaster_server => $puppetmaster_server,`
Expose enable_unbound in openstack_project::server The openstack_project::template class has an $enable_unbound parameter that controls whether the unbound class is declared. Since openstack_project::server mostly just wraps the openstack_project::template class, we should be able to pass this parameter through openstack_project::server into openstack_project::template. The use case for allowing more control over unbound is that the InfraCloud baremetal nodes will use bifrost which sets up a dnsmasq during the install process. By default dnsmasq listens on localhost:53 which conflicts with unbound listening on the same interface and port. Currently bifrost doesn't allow us to configure the except-interface option in dnsmasq.conf, though adding that functionality is probably a valid alternative to this patch. Since we don't really need unbound when we control the dhcp server that assigns the domain-name-servers, it's easiest to just not include it. Change-Id: I6f7ea252950d78db55411133966eff3b18ef0ec9 2015-11-16 19:28:21 -08:00			`enable_unbound => $enable_unbound,`
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41 2014-10-18 16:22:52 -07:00			`afs => $afs,`
Set AFS cache size to 50G on mirrors Change-Id: I2cbb453156aef28722b3c8a51bf221d8da8b7e23 2016-01-23 19:45:59 -08:00			`afs_cache_size => $afs_cache_size,`
Pass exim flag to template rather than exim class Now that the exim flag exists on template, use it in the server manifest. Change-Id: I07652ad88b77a9d551761dcae60208b571261bba 2015-05-14 16:48:10 -07:00			`manage_exim => $manage_exim,`
			`sysadmins => $sysadmins,`
Don't hardcode pip.conf values In the same line as other changes, move settings of config file to template, and expose the settings on manifest, so it can be easily configurable. Depends-On: I78962555c9a9ec1a96ce19810a463a5d619b04f9 Change-Id: I673c9c177bf2fdb3e6428e3ad4252ee76b53309c 2015-06-10 07:47:11 +02:00			`pypi_index_url => $pypi_index_url,`
Move OpenStack classes to openstack_project module Change-Id: Iafcd2e06c5b62e4cde5eccaab3173a20bb08a78d 2012-07-20 18:56:35 -07:00			`}`
Move package resources to o_p::server Once nodepool is building worker images with these packages already installed, we don't need to manage them in the common openstack_project::template class. This patch moves them over to openstack_project::server so that it is obvious that puppet doesn't need to manage them for both single-use workers and long-lived servers. Eventually the openstack_project::template class should be empty and we can remove it. Depends-On: Ie1a0aba57390c9c0b269b4cbb076090ae1de73a9 Change-Id: I31295cdf12941e4adcf87a73418df1d17d9ec3d2 2017-03-25 18:48:55 +01:00
Move OpenStack classes to openstack_project module Change-Id: Iafcd2e06c5b62e4cde5eccaab3173a20bb08a78d 2012-07-20 18:56:35 -07:00			`}`