Puppet the Ubuntu sources.list files on servers

Because some of our virtual machine providers have perverse ideas about maintaining their own mirrors of security update package repositories, which is widely acknowledged[*] as an unsafe practice, it's easiest to just fix this with a consistent sources.list file across all our servers and not bother with package mirrors for now. Note this should not affect our single-use workers as they do not apply the openstack_project::server class. [*] http://askubuntu.com/questions/646853 Change-Id: I26c1ba0e0b6366249b9634f85bb54ed412ecb789
2016-01-14 18:56:24 +00:00 · 2016-01-14 18:56:24 +00:00 · 94acd79ea0
commit 94acd79ea0
parent 5e63349100
4 changed files with 41 additions and 1 deletions
--- a/modules/openstack_project/files/sources.list.precise
+++ b/modules/openstack_project/files/sources.list.precise
@ -0,0 +1,13 @@
+# This file is kept updated by puppet, adapted from
+# https://help.ubuntu.com/12.04/sample/sources.list
+
+deb http://us.archive.ubuntu.com/ubuntu precise main restricted
+deb http://us.archive.ubuntu.com/ubuntu precise-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu precise universe
+deb http://us.archive.ubuntu.com/ubuntu precise-updates universe
+deb http://us.archive.ubuntu.com/ubuntu precise multiverse
+deb http://us.archive.ubuntu.com/ubuntu precise-updates multiverse
+deb http://us.archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu precise-security main restricted
+deb http://security.ubuntu.com/ubuntu precise-security universe
+deb http://security.ubuntu.com/ubuntu precise-security multiverse
--- a/modules/openstack_project/files/sources.list.trusty
+++ b/modules/openstack_project/files/sources.list.trusty
@ -0,0 +1,13 @@
+# This file is kept updated by puppet, adapted from
+# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories
+
+deb http://us.archive.ubuntu.com/ubuntu trusty main restricted
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted
+deb http://us.archive.ubuntu.com/ubuntu trusty universe
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe
+deb http://us.archive.ubuntu.com/ubuntu trusty multiverse
+deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse
+deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu trusty-security main restricted
+deb http://security.ubuntu.com/ubuntu trusty-security universe
+deb http://security.ubuntu.com/ubuntu trusty-security multiverse
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@ -41,5 +41,6 @@ class openstack_project::server (
    sysadmins                 => $sysadmins,
    pypi_index_url            => $pypi_index_url,
    pypi_trusted_hosts        => $pypi_trusted_hosts,
+    purge_apt_sources         => true,
  }
 }
--- a/modules/openstack_project/manifests/template.pp
+++ b/modules/openstack_project/manifests/template.pp
@ -29,6 +29,7 @@ class openstack_project::template (
      'pypi.region-b.geo-1.openstack.org',
      'pypi.regionone.openstack.org',
  ],
+  $purge_apt_sources         = false,
 ) {

  ###########################################################
@ -197,7 +198,19 @@ class openstack_project::template (

  case $::osfamily {
    'Debian': {
-      include apt
+      # Purge and augment existing /etc/apt/sources.list if requested
+      class { '::apt':
+        purge => { 'sources.list' => $purge_apt_sources }
+      }
+      if $purge_apt_sources == true {
+        file { '/etc/apt/sources.list.d/openstack-infra.list':
+          ensure => present,
+          group  => 'root',
+          mode   => '0444',
+          owner  => 'root',
+          source => "puppet:///modules/openstack_project/sources.list.${::lsbdistcodename}",
+        }
+      }

      # Make sure dig is installed
      package { 'dnsutils':