From 94acd79ea0fbd6bdf8b155490328efd799848bba Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 14 Jan 2016 18:56:24 +0000
Subject: [PATCH] Puppet the Ubuntu sources.list files on servers

Because some of our virtual machine providers have perverse ideas
about maintaining their own mirrors of security update package
repositories, which is widely acknowledged[*] as an unsafe practice,
it's easiest to just fix this with a consistent sources.list file
across all our servers and not bother with package mirrors for now.

Note this should not affect our single-use workers as they do not
apply the openstack_project::server class.

[*] http://askubuntu.com/questions/646853

Change-Id: I26c1ba0e0b6366249b9634f85bb54ed412ecb789
---
 .../openstack_project/files/sources.list.precise  | 13 +++++++++++++
 .../openstack_project/files/sources.list.trusty   | 13 +++++++++++++
 modules/openstack_project/manifests/server.pp     |  1 +
 modules/openstack_project/manifests/template.pp   | 15 ++++++++++++++-
 4 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 modules/openstack_project/files/sources.list.precise
 create mode 100644 modules/openstack_project/files/sources.list.trusty

diff --git a/modules/openstack_project/files/sources.list.precise b/modules/openstack_project/files/sources.list.precise
new file mode 100644
index 0000000000..1d94ffa450
--- /dev/null
+++ b/modules/openstack_project/files/sources.list.precise
@@ -0,0 +1,13 @@
+# This file is kept updated by puppet, adapted from
+# https://help.ubuntu.com/12.04/sample/sources.list
+
+deb http://us.archive.ubuntu.com/ubuntu precise main restricted
+deb http://us.archive.ubuntu.com/ubuntu precise-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu precise universe
+deb http://us.archive.ubuntu.com/ubuntu precise-updates universe
+deb http://us.archive.ubuntu.com/ubuntu precise multiverse
+deb http://us.archive.ubuntu.com/ubuntu precise-updates multiverse
+deb http://us.archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu precise-security main restricted
+deb http://security.ubuntu.com/ubuntu precise-security universe
+deb http://security.ubuntu.com/ubuntu precise-security multiverse
diff --git a/modules/openstack_project/files/sources.list.trusty b/modules/openstack_project/files/sources.list.trusty
new file mode 100644
index 0000000000..14964e38a1
--- /dev/null
+++ b/modules/openstack_project/files/sources.list.trusty
@@ -0,0 +1,13 @@
+# This file is kept updated by puppet, adapted from
+# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories
+
+deb http://us.archive.ubuntu.com/ubuntu trusty main restricted
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu trusty universe
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe
+deb http://us.archive.ubuntu.com/ubuntu trusty multiverse
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse
+deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu trusty-security main restricted
+deb http://security.ubuntu.com/ubuntu trusty-security universe
+deb http://security.ubuntu.com/ubuntu trusty-security multiverse
diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp
index 8c3cb4d2a4..c627689de9 100644
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@@ -41,5 +41,6 @@ class openstack_project::server (
     sysadmins                 => $sysadmins,
     pypi_index_url            => $pypi_index_url,
     pypi_trusted_hosts        => $pypi_trusted_hosts,
+    purge_apt_sources         => true,
   }
 }
diff --git a/modules/openstack_project/manifests/template.pp b/modules/openstack_project/manifests/template.pp
index 04cc6a7685..e19a8b5470 100644
--- a/modules/openstack_project/manifests/template.pp
+++ b/modules/openstack_project/manifests/template.pp
@@ -29,6 +29,7 @@ class openstack_project::template (
       'pypi.region-b.geo-1.openstack.org',
       'pypi.regionone.openstack.org',
   ],
+  $purge_apt_sources         = false,
 ) {
 
   ###########################################################
@@ -197,7 +198,19 @@ class openstack_project::template (
 
   case $::osfamily {
     'Debian': {
-      include apt
+      # Purge and augment existing /etc/apt/sources.list if requested
+      class { '::apt':
+        purge => { 'sources.list' => $purge_apt_sources }
+      }
+      if $purge_apt_sources == true {
+        file { '/etc/apt/sources.list.d/openstack-infra.list':
+          ensure => present,
+          group  => 'root',
+          mode   => '0444',
+          owner  => 'root',
+          source => "puppet:///modules/openstack_project/sources.list.${::lsbdistcodename}",
+        }
+      }
 
       # Make sure dig is installed
       package { 'dnsutils':