opendev
/
system-config
Code Issues Proposed changes

Remove base.yaml things from openstack_project::server

Browse Source 
Now that we've got base server stuff rewritten in ansible, remove the
old puppet versions.

Depends-On: https://review.openstack.org/588326
Change-Id: I5c82fe6fd25b9ddaa77747db377ffa7e8bf23c7b
changes/36/585836/27
Monty Taylor 5 years ago
parent 3e139891be
commit bab6fcad3c
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
55 changed files with 78 additions and 1230 deletions
Show Stats Download Patch File Download Diff File

9
doc/source/sysadmin.rst
Unescape View File

@ -131,13 +131,12 @@ To create a new server, do the following:
to manually add the private information to hiera.
* You should be able to install and configure most software only with
puppet. Nonetheless, if you need SSH access to the host, add your
public key to :cgit_file:`modules/openstack_project/manifests/users.pp` and
ansible or puppet. Nonetheless, if you need SSH access to the host,
add your public key to :cgit_file:`playbooks/group_vars/all.yaml` and
include a stanza like this in your server class::
realize (
User::Virtual::Localuser['USERNAME'],
)
extra_users:
- your_user_name
* Add an RST file with documentation about the server in :cgit_file:`doc/source`
and add it to the index in that directory.

73
manifests/site.pp
Unescape View File

@ -12,7 +12,6 @@ $elasticsearch_nodes = hiera_array('elasticsearch_nodes')
#
node default {
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
}
}
@ -27,8 +26,6 @@ node 'review.openstack.org' {
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
extra_aliases => { 'gerrit2' => 'root' },
}
class { 'openstack_project::review':
@ -75,8 +72,6 @@ node 'review01.openstack.org' {
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
extra_aliases => { 'gerrit2' => 'root' },
}
class { 'openstack_project::review':
@ -123,8 +118,6 @@ node /^review-dev\d*\.openstack\.org$/ {
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
extra_aliases => { 'gerrit2' => 'root' },
afs => true,
}
@ -157,7 +150,6 @@ node /^grafana\d*\.openstack\.org$/ {
$group = "grafana"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::grafana':
admin_password => hiera('grafana_admin_password'),
@ -176,7 +168,6 @@ node /^grafana\d*\.openstack\.org$/ {
node /^health\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::openstack_health_api':
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
@ -188,7 +179,6 @@ node /^cacti\d+\.openstack\.org$/ {
$group = "cacti"
include openstack_project::ssl_cert_check
class { 'openstack_project::cacti':
sysadmins => hiera('sysadmins', []),
cacti_hosts => hiera_array('cacti_hosts'),
vhost_name => 'cacti.openstack.org',
}
@ -198,7 +188,6 @@ node /^cacti\d+\.openstack\.org$/ {
node 'puppetmaster.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [8140],
sysadmins => hiera('sysadmins', []),
pin_puppet => '3.6.',
}
class { 'openstack_project::puppetmaster':
@ -254,7 +243,6 @@ node /^graphite\d*\.openstack\.org$/ {
{protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'},
],
sysadmins => hiera('sysadmins', [])
}
class { '::graphite':
@ -269,7 +257,6 @@ node /^graphite\d*\.openstack\.org$/ {
node /^groups\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::groups':
site_admin_password => hiera('groups_site_admin_password'),
@ -287,7 +274,6 @@ node /^groups\d*\.openstack\.org$/ {
node /^groups-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::groups_dev':
site_admin_password => hiera('groups_dev_site_admin_password'),
@ -306,12 +292,9 @@ node /^groups-dev\d*\.openstack\.org$/ {
node /^lists\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
manage_exim => false,
purge_apt_sources => false,
}
class { 'openstack_project::lists':
listadmins => hiera('listadmins', []),
listpassword => hiera('listpassword'),
}
}
@ -320,12 +303,9 @@ node /^lists\d*\.openstack\.org$/ {
node /^lists\d*\.katacontainers\.io$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
manage_exim => false,
purge_apt_sources => false,
}
class { 'openstack_project::kata_lists':
listadmins => hiera('listadmins', []),
listpassword => hiera('listpassword'),
}
}
@ -336,7 +316,6 @@ node /^paste\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::paste':
db_password => hiera('paste_db_password'),
@ -348,7 +327,6 @@ node /^paste\d*\.openstack\.org$/ {
# Node-OS: xenial
node /planet\d*\.openstack\.org$/ {
class { 'openstack_project::planet':
sysadmins => hiera('sysadmins', []),
}
}
@ -357,7 +335,6 @@ node /^eavesdrop\d*\.openstack\.org$/ {
$group = "eavesdrop"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::eavesdrop':
@ -397,7 +374,6 @@ node /^ethercalc\d+\.openstack\.org$/ {
$group = "ethercalc"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::ethercalc':
@ -413,7 +389,6 @@ node /^ethercalc\d+\.openstack\.org$/ {
node /^etherpad\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::etherpad':
@ -431,7 +406,6 @@ node /^etherpad\d*\.openstack\.org$/ {
node /^etherpad-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::etherpad_dev':
@ -445,7 +419,6 @@ node /^etherpad-dev\d*\.openstack\.org$/ {
node /^wiki\d+\.openstack\.org$/ {
$group = "wiki"
class { 'openstack_project::wiki':
sysadmins => hiera('sysadmins', []),
bup_user => 'bup-wiki',
serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki.openstack.org',
@ -468,7 +441,6 @@ node /^wiki\d+\.openstack\.org$/ {
node /^wiki-dev\d+\.openstack\.org$/ {
$group = "wiki-dev"
class { 'openstack_project::wiki':
sysadmins => hiera('sysadmins', []),
serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki-dev.openstack.org',
wg_dbserver => hiera('wg_dbserver'),
@ -489,7 +461,6 @@ node /^logstash\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 3306],
iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'),
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::logstash':
@ -512,7 +483,6 @@ node /^logstash-worker\d+\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::logstash_worker':
@ -528,7 +498,6 @@ node /^subunit-worker\d+\.openstack\.org$/ {
$group = "subunit-worker"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::subunit_worker':
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
@ -544,7 +513,6 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'),
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::elasticsearch_node':
discover_nodes => $elasticsearch_nodes,
@ -558,11 +526,8 @@ node /^firehose\d+\.openstack\.org$/ {
# connections seem to crash mosquitto. Once this is fixed we should add
# them back
iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443],
sysadmins => hiera('sysadmins', []),
manage_exim => false,
}
class { 'openstack_project::firehose':
sysadmins => hiera('sysadmins', []),
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
@ -582,7 +547,6 @@ node /^firehose\d+\.openstack\.org$/ {
node /^git(-fe\d+)?\.openstack\.org$/ {
$group = "git-loadbalancer"
class { 'openstack_project::git':
sysadmins => hiera('sysadmins', []),
balancer_member_names => [
'git01.openstack.org',
'git02.openstack.org',
@ -614,7 +578,6 @@ node /^git\d+\.openstack\.org$/ {
include openstack_project
class { 'openstack_project::server':
iptables_public_tcp_ports => [4443, 8080, 29418],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::git_backend':
@ -653,7 +616,6 @@ node /^mirror-update\d*\.openstack\.org$/ {
centos_keytab => hiera('centos_keytab'),
epel_keytab => hiera('epel_keytab'),
yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
sysadmins => hiera('sysadmins', []),
}
}
@ -664,7 +626,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
sysadmins => hiera('sysadmins', []),
afs => true,
afs_cache_size => 50000000, # 50GB
}
@ -681,7 +642,6 @@ node /^files\d*\.openstack\.org$/ {
$group = "files"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
afs => true,
afs_cache_size => 10000000, # 10GB
}
@ -712,7 +672,6 @@ node /^files\d*\.openstack\.org$/ {
node /^refstack\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'refstack':
mysql_host => hiera('refstack_mysql_host', 'localhost'),
@ -741,7 +700,6 @@ node /^refstack\d*\.openstack\.org$/ {
node /^storyboard\d*\.openstack\.org$/ {
class { 'openstack_project::storyboard':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'),
@ -772,7 +730,6 @@ node /^storyboard\d*\.openstack\.org$/ {
node /^storyboard-dev\d*\.openstack\.org$/ {
class { 'openstack_project::storyboard::dev':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'),
@ -799,7 +756,6 @@ node /^storyboard-dev\d*\.openstack\.org$/ {
node /^static\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::static':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -837,7 +793,6 @@ node /^zk\d+\.openstack\.org$/ {
{protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'},
{protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'},
],
sysadmins => hiera('sysadmins', []),
}
class { '::zookeeper':
@ -861,7 +816,6 @@ node /^status\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::status':
@ -881,7 +835,6 @@ node /^survey\d+\.openstack\.org$/ {
$group = "survey"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::survey':
@ -905,7 +858,6 @@ node /^adns\d+\.openstack\.org$/ {
$group = 'adns'
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_allowed_hosts => [
{protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
{protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
@ -925,7 +877,6 @@ node /^ns\d+\.openstack\.org$/ {
$group = 'ns'
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_udp_ports => [53],
iptables_public_tcp_ports => [53],
}
@ -969,7 +920,6 @@ node 'nodepool.openstack.org' {
{protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
],
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80],
}
@ -1023,7 +973,6 @@ node /^nl\d+\.openstack\.org$/ {
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80],
}
@ -1086,7 +1035,6 @@ node /^nb\d+\.openstack\.org$/ {
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80, 443],
}
@ -1142,7 +1090,6 @@ node /^ze\d+\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 7900],
sysadmins => hiera('sysadmins', []),
afs => true,
}
@ -1257,7 +1204,6 @@ node /^zuul\d+\.openstack\.org$/ {
{protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
],
sysadmins => hiera('sysadmins', []),
}
class { '::project_config':
@ -1348,7 +1294,6 @@ node /^zm\d+.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
@ -1383,7 +1328,6 @@ node /^zm\d+.openstack\.org$/ {
# Node-OS: trusty
node 'pbx.openstack.org' {
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports => [5060],
@ -1408,8 +1352,6 @@ node /^backup\d+\..*\.ci\.openstack\.org$/ {
$group = "ci-backup"
class { 'openstack_project::server':
iptables_public_tcp_ports => [],
manage_exim => false,
purge_apt_sources => false,
}
include openstack_project::backup_server
}
@ -1417,7 +1359,6 @@ node /^backup\d+\..*\.ci\.openstack\.org$/ {
# Node-OS: trusty
node 'openstackid.org' {
class { 'openstack_project::openstackid_prod':
sysadmins => hiera('sysadmins', []),
site_admin_password => hiera('openstackid_site_admin_password'),
id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_id_mysql_password'),
@ -1447,7 +1388,6 @@ node 'openstackid.org' {
# Node-OS: trusty
node 'openstackid-dev.openstack.org' {
class { 'openstack_project::openstackid_dev':
sysadmins => hiera('sysadmins', []),
site_admin_password => hiera('openstackid_dev_site_admin_password'),
id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
@ -1484,7 +1424,6 @@ node 'kdc01.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::kdc': }
@ -1495,7 +1434,6 @@ node 'kdc04.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::kdc':
@ -1509,9 +1447,7 @@ node 'afsdb01.openstack.org' {
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true,
manage_exim => true,
}
include openstack_project::afsdb
@ -1524,9 +1460,7 @@ node /^afsdb.*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true,
manage_exim => true,
}
include openstack_project::afsdb
@ -1538,9 +1472,7 @@ node /^afs.*\..*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true,
manage_exim => true,
}
include openstack_project::afsfs
@ -1551,7 +1483,6 @@ node 'ask.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::ask':
@ -1568,7 +1499,6 @@ node 'ask.openstack.org' {
node 'ask-staging.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::ask_staging':
@ -1583,7 +1513,6 @@ node /^translate\d+\.openstack\.org$/ {
$group = "translate"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::translate':
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
@ -1612,7 +1541,6 @@ node /^translate\d+\.openstack\.org$/ {
node /^translate-dev\d*\.openstack\.org$/ {
$group = "translate-dev"
class { 'openstack_project::translate_dev':
sysadmins => hiera('sysadmins', []),
admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
openid_url => 'https://openstackid-dev.openstack.org',
listeners => ['ajp'],
@ -1633,7 +1561,6 @@ node /^codesearch\d*\.openstack\.org$/ {
$group = "codesearch"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::codesearch':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',

1
modules/openstack_project/files/80retry
Unescape View File

@ -1 +0,0 @@
APT::Acquire::Retries "20";

1
modules/openstack_project/files/90no-translations
Unescape View File

@ -1 +0,0 @@
Acquire::Languages "none";

1
modules/openstack_project/files/bash-history.sh
Unescape View File

@ -1 +0,0 @@
export HISTTIMEFORMAT="%Y-%m-%dT%T%z "

6
modules/openstack_project/files/centos7-puppetlabs.repo
Unescape View File

@ -1,6 +0,0 @@
[puppetlabs-products]
name=Puppet Labs Products El 7 - $basearch
baseurl=http://yum.puppetlabs.com/el/7/products/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
enabled=1
gpgcheck=1

4
modules/openstack_project/files/debian_limits.conf
Unescape View File

@ -1,4 +0,0 @@
# Original 1024
* soft nofile 4096
# Original 4096
* hard nofile 8192

69
modules/openstack_project/files/rsyslog.d_50-default.conf
Unescape View File

@ -1,69 +0,0 @@
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
# Commenting out since we don't install xconsoles on headless servers.
#daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole

13
modules/openstack_project/files/sources.list.trusty.amd64
Unescape View File

@ -1,13 +0,0 @@
# This file is kept updated by puppet, adapted from
# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories
deb http://us.archive.ubuntu.com/ubuntu trusty main restricted
deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu trusty universe
deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe
deb http://us.archive.ubuntu.com/ubuntu trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse

35
modules/openstack_project/files/sources.list.xenial.aarch64
Unescape View File

@ -1,35 +0,0 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://ports.ubuntu.com/ubuntu-ports/ xenial universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial universe
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted
# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe
# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse
# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse

13
modules/openstack_project/files/sources.list.xenial.amd64
Unescape View File

@ -1,13 +0,0 @@
# This file is kept updated by puppet, adapted from
# https://help.ubuntu.com/lts/serverguide/configuration.html
deb http://us.archive.ubuntu.com/ubuntu xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu xenial universe
deb http://us.archive.ubuntu.com/ubuntu xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse

81
modules/openstack_project/files/yum/yum-cron.conf
Unescape View File

@ -1,81 +0,0 @@
[commands]
# What kind of update to use:
# default = yum upgrade
# security = yum --security upgrade
# security-severity:Critical = yum --sec-severity=Critical upgrade
# minimal = yum --bugfix update-minimal
# minimal-security = yum --security update-minimal
# minimal-security-severity:Critical = --sec-severity=Critical update-minimal
update_cmd = default
# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes
# Whether updates should be downloaded when they are available.
download_updates = yes
# Whether updates should be applied when they are available. Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes
# Maximum amout of time to randomly sleep, in minutes. The program
# will sleep for a random amount of time between 0 and random_sleep
# minutes before running. This is useful for e.g. staggering the
# times that multiple systems will access update servers. If
# random_sleep is 0 or negative, the program will run immediately.
# 6*60 = 360
random_sleep = 360
[emitters]
# Name to use for this system in messages that are emitted. If
# system_name is None, the hostname will be used.
system_name = None
# How to send messages. Valid options are stdio and email. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio
# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80
[email]
# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from = root@localhost
# List of addresses to send messages to.
email_to = root
# Name of the host to connect to to send email messages.
email_host = localhost
[groups]
# NOTE: This only works when group_command != objects, which is now the default
# List of groups to update
group_list = None
# The types of group packages to install
group_package_types = mandatory, default
[base]
# This section overrides yum.conf
# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2
# skip_broken = True
mdpolicy = group:main
# Uncomment to auto-import new gpg keys (dangerous)
# assumeyes = True

4
modules/openstack_project/manifests/ask.pp
Unescape View File

@ -17,10 +17,6 @@ class openstack_project::ask (
$askbot_revision = '87086ebcefc5be29e80d3228e465e6bec4523fcf'
) {
realize (
User::Virtual::Localuser['mkiss'],
)
file { '/srv/dist':
ensure => directory,
owner => 'root',

4
modules/openstack_project/manifests/ask_staging.pp
Unescape View File

@ -13,10 +13,6 @@ class openstack_project::ask_staging (
$solr_version = '4.10.4'
) {
realize (
User::Virtual::Localuser['mkiss'],
)
file { '/srv/dist':
ensure => directory,
owner => 'root',

2
modules/openstack_project/manifests/cacti.pp
Unescape View File

@ -1,6 +1,5 @@
# Class to configure cacti on a node.
class openstack_project::cacti (
$sysadmins = [],
$cacti_hosts = [],
$vhost_name = '',
) {
@ -11,7 +10,6 @@ class openstack_project::cacti (
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
}
class { '::apache':

31
modules/openstack_project/manifests/firehose.pp
Unescape View File

@ -15,7 +15,6 @@
# firehose glue class.
#
class openstack_project::firehose (
$sysadmins = [],
$gerrit_username = 'germqtt',
$gerrit_public_key,
$gerrit_private_key,
@ -69,36 +68,6 @@ class openstack_project::firehose (
ensure => running,
}
class {'::exim':
sysadmins => $sysadmins,
local_domains => "@:firehose.openstack.org",
default_localuser_router => false,
routers => [
{'cyrus' => {
'driver' => 'accept',
'domains' => '+local_domains',
'local_part_suffix' => '+*',
'local_part_suffix_optional' => true,
'transport' => 'cyrus',
}},
{'localuser' => {
'driver' => 'accept',
'check_local_user' => true,
'transport' => 'local_delivery',
'cannot_route_message' => 'Unknown user',
}}
],
transports => [
{'cyrus' => {
'driver' => 'lmtp',
'socket' => '/var/run/cyrus/socket/lmtp',
'user' => 'cyrus',
'batch_max' => '35',
}}
],
require => Package['cyrus-imapd'],
}
include lpmqtt
class {'lpmqtt::server':
mqtt_username => $mqtt_username,

9
modules/openstack_project/manifests/git.pp
Unescape View File

@ -16,14 +16,12 @@
#
# == Class: openstack_project::git
class openstack_project::git (
$sysadmins = [],
$balancer_member_names = [],
$balancer_member_ips = [],
$selinux_mode = 'enforcing'
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 9418],
sysadmins => $sysadmins,
}
if ($::osfamily == 'RedHat') {
@ -148,6 +146,13 @@ class openstack_project::git (
notify => Service['rsyslog'],
}
# TODO(mordred) We should get this haproxy stuff ported to ansible ASAP.
# Ansible is the one installing rsyslog.
service { 'rsyslog':
ensure => running,
enable => true,
hasrestart => true,
}
# haproxy statsd

4
modules/openstack_project/manifests/groups.pp
Unescape View File

@ -28,10 +28,6 @@ class openstack_project::groups (
$site_ssl_chain_file = '/etc/ssl/certs/groups.openstack.org_ca.pem',
) {
realize (
User::Virtual::Localuser['mkiss'],
)
vcsrepo { '/srv/groups-static-pages':
ensure => latest,
provider => git,

4
modules/openstack_project/manifests/groups_dev.pp
Unescape View File

@ -25,10 +25,6 @@ class openstack_project::groups_dev (
$site_ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key',
) {
realize (
User::Virtual::Localuser['mkiss'],
)
# include drupal
vcsrepo { '/srv/groups-static-pages':

4
modules/openstack_project/manifests/infracloud/baremetal.pp
Unescape View File

@ -35,8 +35,4 @@ class openstack_project::infracloud::baremetal (
ipv4_subnet_mask => $ipv4_subnet_mask,
}
realize (
User::Virtual::Localuser['colleen'],
)
}

5
modules/openstack_project/manifests/infracloud/controller.pp
Unescape View File

@ -50,9 +50,4 @@ class openstack_project::infracloud::controller (
neutron_subnet_allocation_pools => $neutron_subnet_allocation_pools,
mysql_max_connections => $mysql_max_connections,
}
realize (
User::Virtual::Localuser['colleen'],
)
}

17
modules/openstack_project/manifests/kata_lists.pp
Unescape View File

@ -1,28 +1,13 @@
# == Class: openstack_project::kata_lists
#
class openstack_project::kata_lists(
$listadmins,
$listpassword = ''
) {
$listdomain = 'lists.katacontainers.io'
class { 'exim':
sysadmins => $listadmins,
queue_interval => '1m',
queue_run_max => '50',
mailman_domains => [$listdomain],
smtp_accept_max => '100',
smtp_accept_max_per_host => '10',
}
class { 'mailman':
vhost_name => $listdomain,
vhost_name => 'lists.katacontainers.io'
}
realize (
User::Virtual::Localuser['jbryce'],
)
Maillist {
provider => 'noaliasmailman',
}

100
modules/openstack_project/manifests/lists.pp
Unescape View File

@ -1,113 +1,13 @@
# == Class: openstack_project::lists
#
class openstack_project::lists(
$listadmins,
$listpassword = ''
) {
$mm_domains='lists.openstack.org:lists.zuul-ci.org:lists.airshipit.org:lists.starlingx.io'
class { 'mailman':
multihost => true,
}
class { 'exim':
sysadmins => $listadmins,
queue_interval => '1m',
queue_run_max => '50',
smtp_accept_max => '100',
smtp_accept_max_per_host => '10',
extra_aliases => {
'ambassadors-owner' => 'spam',
'community-owner' => 'spam',
'foundation-board-confidential-owner' => 'spam',
'foundation-board-owner' => 'spam',
'foundation-owner' => 'spam',
'legal-discuss-owner' => 'spam',
'mailman-owner' => 'spam',
'marketing-owner' => 'spam',
'openstack-announce-owner' => 'spam',
'openstack-dev-owner' => 'spam',
'openstack-docs-owner' => 'spam',
'openstack-fr-owner' => 'spam',
'openstack-i18n-owner' => 'spam',
'openstack-infra-owner' => 'spam',
'openstack-operators-owner' => 'spam',
'openstack-owner' => 'spam',
'openstack-qa-owner' => 'spam',
'openstack-security-owner' => 'spam',
'openstack-tc-owner' => 'spam',
'openstack-vi-owner' => 'spam',
'product-wg-owner' => 'spam',
'superuser-owner' => 'spam',
'user-committee-owner' => 'spam',
'women-of-openstack-owner' => 'spam',
'spam' => ':fail: delivery temporarily disabled due to ongoing spam flood',
},
local_domains => "@:$mm_domains",
routers => [
{'mailman_verp_router' => {
'driver' => 'dnslookup',
# we only consider messages sent in through loopback
'condition' => '${if or{{eq{$sender_host_address}{127.0.0.1}}\
{eq{$sender_host_address}{::1}}}{yes}{no}}',
# we do not do this for traffic going to the local machine
'domains' => '!+local_domains',
'ignore_target_hosts' => '<; 0.0.0.0; \
64.94.110.11; \
127.0.0.0/8; \
::1/128;fe80::/10;fe \
c0::/10;ff00::/8',
# only the un-VERPed bounce addresses are handled
'senders' => '"*-bounces@*"',
'transport' => 'mailman_verp_smtp',
}
},
{'mailman_router' => {
'driver' => 'accept',
'domains' => "$mm_domains",
'require_files' => '${lookup{${lc::$domain}}lsearch{/etc/mailman/sites}}/lists/${lc::$local_part}/config.pck',
'local_part_suffix_optional' => true,
'local_part_suffix' => '-admin : \
-bounces : -bounces+* : \
-confirm : -confirm+* : \
-join : -leave : \
-owner : -request : \
-subscribe : -unsubscribe',
'transport' => 'mailman_transport',
}
},
],
transports => [
{'mailman_transport' => {
'driver' => 'pipe',
'environment' => 'MAILMAN_SITE_DIR=${lookup{${lc:$domain}}lsearch{/etc/mailman/sites}}',
'command' => '/var/lib/mailman/mail/mailman \
\'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}\' \
$local_part',
'current_directory' => '/var/lib/mailman',
'home_directory' => '/var/lib/mailman',
'user' => 'list',
'group' => 'list',
}
},
{'mailman_verp_smtp' => {
'driver' => 'smtp',
'return_path' => '${local_part:$return_path}+$local_part=$domain@${domain:$return_path}',
'max_rcpt' => '1',
'headers_remove' => 'Errors-To',
'headers_add' => 'Errors-To: ${return_path}',
}
},
]
}
realize (
User::Virtual::Localuser['smaffulli'],
)
# Disable inactive admins
user::virtual::disable { 'oubiwann': }
user::virtual::disable { 'rockstar': }

2
modules/openstack_project/manifests/mirror_update.pp
Unescape View File

@ -1,7 +1,6 @@
# == Class: openstack_project::mirror_update
#
class openstack_project::mirror_update (
$sysadmins = [],
$bandersnatch_keytab = '',
$reprepro_keytab = '',
$admin_keytab = '',
@ -16,7 +15,6 @@ class openstack_project::mirror_update (
include ::openstack_project::reprepro_mirror
class { 'openstack_project::server':
sysadmins => $sysadmins,
afs => true,
}

7
modules/openstack_project/manifests/openstackid_dev.pp
Unescape View File

@ -15,7 +15,6 @@
# openstackid idp(sso-openid) dev server
#
class openstack_project::openstackid_dev (
$sysadmins = [],
$site_admin_password = '',
$id_mysql_host = '',
$id_mysql_user = '',
@ -62,14 +61,8 @@ class openstack_project::openstackid_dev (
$session_cookie_secure = false,
) {
realize (
User::Virtual::Localuser['smarcet'],
User::Virtual::Localuser['mkiss'],
)
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
}
class { 'openstackid':

7
modules/openstack_project/manifests/openstackid_prod.pp
Unescape View File

@ -15,7 +15,6 @@
# openstackid idp(sso-openid) server
#
class openstack_project::openstackid_prod (
$sysadmins = [],
$site_admin_password = '',
$id_mysql_host = '',
$id_mysql_user = '',
@ -63,14 +62,8 @@ class openstack_project::openstackid_prod (
$session_cookie_secure = false,
) {
realize (
User::Virtual::Localuser['smarcet'],
User::Virtual::Localuser['maxwell'],
)
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
}
class { 'openstackid':

39
modules/openstack_project/manifests/params.pp
Unescape View File

@ -1,39 +0,0 @@
# Class: openstack_project::params
#
# This class holds parameters that need to be
# accessed by other classes.
class openstack_project::params {
$cross_platform_packages = [
'at',
'git',
'lvm2',
'parted',
'rsync',
'strace',
'tcpdump',
'wget',
]
case $::osfamily {
'RedHat': {
$packages = concat($cross_platform_packages, ['iputils', 'bind-utils'])
$user_packages = ['emacs-nox', 'vim-enhanced']
$login_defs = 'puppet:///modules/openstack_project/login.defs.redhat'
}
'Debian': {
$packages = concat($cross_platform_packages, ['iputils-ping', 'dnsutils'])
case $::operatingsystemrelease {
/^(12|14)\.(04|10)$/: {
$user_packages = ['emacs23-nox', 'vim-nox', 'iftop',
'sysstat', 'iotop']
}
default: {
$user_packages = ['emacs-nox', 'vim-nox']
}
}
$login_defs = 'puppet:///modules/openstack_project/login.defs.debian'
}
default: {
fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).")
}
}
}

3
modules/openstack_project/manifests/pbx.pp
Unescape View File

@ -18,9 +18,6 @@
class openstack_project::pbx (
$sip_providers = [],
) {
realize (
User::Virtual::Localuser['rbryant'],
)
class { 'asterisk':
modules_conf_source => 'puppet:///modules/openstack_project/pbx/asterisk/modules.conf',

2
modules/openstack_project/manifests/planet.pp
Unescape View File

@ -1,11 +1,9 @@
# == Class: openstack_project::planet
#
class openstack_project::planet (
$sysadmins = []
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => $sysadmins,
}
include ::planet

4
modules/openstack_project/manifests/review_dev.pp
Unescape View File

@ -43,10 +43,6 @@ class openstack_project::review_dev (
}
}
realize (
User::Virtual::Localuser['zaro'],
)
class { 'project_config':
url => $project_config_repo,
base => 'dev/',

278
modules/openstack_project/manifests/server.pp
Unescape View File

@ -7,116 +7,21 @@ class openstack_project::server (
$iptables_rules4 = [],
$iptables_rules6 = [],
$iptables_allowed_hosts = [],
$sysadmins = [],
$extra_aliases = {},
$pin_puppet = '3.',
$ca_server = undef,
$enable_unbound = true,
$afs = false,
$afs_cache_size = 500000,
$manage_exim = true,
$pypi_index_url = 'https://pypi.python.org/simple',
$purge_apt_sources = true,
) {
include sudoers
include openstack_project::params
include openstack_project::users
class { 'openstack_project::users_install':
install_users => true,
}
class { 'timezone':
timezone => 'Etc/UTC',
}
package { 'rsyslog':
ensure => present,
}
service { 'rsyslog':
ensure => running,
enable => true,
hasrestart => true,
require => Package['rsyslog'],
}
# Increase syslog message size in order to capture
# python tracebacks with syslog.
file { '/etc/rsyslog.d/99-maxsize.conf':
ensure => present,
# Note MaxMessageSize is not a puppet variable.
content => '$MaxMessageSize 6k',
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['rsyslog'],
require => Package['rsyslog'],
}
if $::osfamily == 'Debian' {
file { '/etc/security/limits.d/60-nofile-limit.conf':
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/openstack_project/debian_limits.conf',
replace => true,
}
file { '/etc/apt/apt.conf.d/80retry':
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/80retry',
replace => true,
}
file { '/etc/apt/apt.conf.d/90no-translations':
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/90no-translations',
replace => true,
}
# Custom rsyslog config to disable /dev/xconsole noise on Debuntu servers
file { '/etc/rsyslog.d/50-default.conf':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',