437 lines
17 KiB
Puppet
437 lines
17 KiB
Puppet
# == Class: openstack_project::mirror_update
|
|
#
|
|
# NOTE(ianw) : 2020-10-28 all cron jobs disabled
|
|
# as mirroring has moved to the mirror-update.opendev.org server
|
|
# managed by ansible.
|
|
#
|
|
class openstack_project::mirror_update (
|
|
$reprepro_keytab = '',
|
|
$admin_keytab = '',
|
|
$gem_keytab = '',
|
|
$centos_keytab = '',
|
|
$epel_keytab = '',
|
|
$yum_puppetlabs_keytab = '',
|
|
$fedora_keytab = '',
|
|
$opensuse_keytab = '',
|
|
) {
|
|
include ::gnupg
|
|
include ::openstack_project::reprepro_mirror
|
|
|
|
class { 'openstack_project::server': }
|
|
|
|
class { 'openstack_project::gem_mirror': }
|
|
|
|
file { '/etc/gem.keytab':
|
|
owner => 'rubygems',
|
|
group => 'root',
|
|
mode => '0400',
|
|
content => $gem_keytab,
|
|
require => Class['openstack_project::gem_mirror'],
|
|
}
|
|
|
|
file { '/etc/afsadmin.keytab':
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0400',
|
|
content => $admin_keytab,
|
|
}
|
|
|
|
file { '/usr/local/bin/gem-mirror-update':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
source => 'puppet:///modules/openstack_project/gem-mirror-update.sh',
|
|
}
|
|
|
|
file { '/etc/reprepro.keytab':
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0400',
|
|
content => $reprepro_keytab,
|
|
}
|
|
|
|
file { '/usr/local/bin/reprepro-mirror-update':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
source => 'puppet:///modules/openstack_project/reprepro/reprepro-mirror-update.sh',
|
|
}
|
|
|
|
### Debian mirror ###
|
|
::openstack_project::reprepro { 'debian-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian',
|
|
basedir => '/afs/.openstack.org/mirror/debian',
|
|
distributions => 'openstack_project/reprepro/distributions.debian.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-updates',
|
|
releases => ['stretch', 'buster'],
|
|
skip_backports_for => [''],
|
|
}
|
|
|
|
cron { 'reprepro debian':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'reprepro-debian'),
|
|
command => 'flock -n /var/run/reprepro/debian.lock reprepro-mirror-update /etc/reprepro/debian mirror.debian >>/var/log/reprepro/debian-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['debian-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
# This key is included as a workaround, as GnuPG (at least the version on
|
|
# Xenial) and so by extension reprepro is unable to parse multi-signature
|
|
# Release files so only sees the first one it encounters, which in the case
|
|
# of the Stretch archive is the Jessie archive signing key.
|
|
gnupg_key { 'Debian 8/jessie Archive':
|
|
ensure => present,
|
|
key_id => '7638D0442B90D010',
|
|
user => 'root',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/debian-jessie-mirror-gpg-key.asc',
|
|
key_type => 'public',
|
|
}
|
|
|
|
gnupg_key { 'Debian 9/stretch Archive':
|
|
ensure => present,
|
|
key_id => 'E0B11894F66AEC98',
|
|
user => 'root',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/debian-stretch-mirror-gpg-key.asc',
|
|
key_type => 'public',
|
|
}
|
|
|
|
gnupg_key { 'Debian 10/buster Archive':
|
|
ensure => present,
|
|
key_id => 'DC30D7C23CBBABEE',
|
|
user => 'root',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/debian-buster-mirror-gpg-key.asc',
|
|
key_type => 'public',
|
|
}
|
|
|
|
|
|
# Note debian-security needs it's own mirroring process, as we found
|
|
# that including it in the main "debian-updates" config lead to
|
|
# weird conflicts of package names breaking the mirror.
|
|
::openstack_project::reprepro { 'debian-security-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian-security',
|
|
basedir => '/afs/.openstack.org/mirror/debian-security',
|
|
distributions => 'openstack_project/reprepro/distributions.debian-security.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-security-updates',
|
|
releases => ['stretch', 'buster'],
|
|
}
|
|
|
|
cron { 'reprepro debian security':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'reprepro-debian-security'),
|
|
command => 'flock -n /var/run/reprepro/debian-security.lock reprepro-mirror-update /etc/reprepro/debian-security mirror.debian-security >>/var/log/reprepro/debian-security-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['debian-security-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
gnupg_key { 'Debian 9/stretch Security':
|
|
ensure => present,
|
|
key_id => 'EDA0D2388AE22BA9',
|
|
user => 'root',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/debian-stretch-security-mirror-gpg-key.asc',
|
|
key_type => 'public',
|
|
}
|
|
|
|
gnupg_key { 'Debian 10/buster Security':
|
|
ensure => present,
|
|
key_id => '4DFAB270CAA96DFA',
|
|
user => 'root',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/debian-buster-security-mirror-gpg-key.asc',
|
|
key_type => 'public',
|
|
}
|
|
|
|
::openstack_project::reprepro { 'ubuntu-reprepro-mirror':
|
|
confdir => '/etc/reprepro/ubuntu',
|
|
basedir => '/afs/.openstack.org/mirror/ubuntu',
|
|
distributions => 'openstack_project/reprepro/distributions.ubuntu.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/ubuntu-updates',
|
|
releases => ['bionic', 'focal', 'xenial'],
|
|
}
|
|
|
|
cron { 'reprepro ubuntu':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'reprepro-ubuntu'),
|
|
command => 'flock -n /var/run/reprepro/ubuntu.lock reprepro-mirror-update /etc/reprepro/ubuntu mirror.ubuntu >>/var/log/reprepro/ubuntu-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['ubuntu-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
::openstack_project::reprepro { 'ubuntu-ports-reprepro-mirror':
|
|
confdir => '/etc/reprepro/ubuntu-ports',
|
|
basedir => '/afs/.openstack.org/mirror/ubuntu-ports',
|
|
distributions => 'openstack_project/reprepro/distributions.ubuntu-ports.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/ubuntu-updates',
|
|
releases => ['bionic', 'focal', 'xenial'],
|
|
}
|
|
|
|
cron { 'reprepro ubuntu-ports':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'reprepro-ubuntu-ports'),
|
|
command => 'flock -n /var/run/reprepro/ubuntu-ports.lock reprepro-mirror-update /etc/reprepro/ubuntu-ports mirror.ubuntu-ports >>/var/log/reprepro/ubuntu-ports-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['ubuntu-ports-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
gnupg_key { 'Ubuntu Archive':
|
|
ensure => present,
|
|
key_id => '40976EAF437D05B5',
|
|
user => 'root',
|
|
key_server => 'hkp://keyserver.ubuntu.com',
|
|
key_type => 'public',
|
|
}
|
|
|
|
gnupg_key { 'Ubuntu Archive (2012)':
|
|
ensure => present,
|
|
key_id => '3B4FE6ACC0B21F32',
|
|
user => 'root',
|
|
key_server => 'hkp://keyserver.ubuntu.com',
|
|
key_type => 'public',
|
|
}
|
|
|
|
::openstack_project::reprepro { 'debian-ceph-nautilus-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian-ceph-nautilus',
|
|
basedir => '/afs/.openstack.org/mirror/ceph-deb-nautilus',
|
|
distributions => 'openstack_project/reprepro/distributions.debian-ceph-nautilus.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-ceph-nautilus-updates',
|
|
releases => ['stretch', 'bionic'],
|
|
}
|
|
|
|
cron { 'reprepro debian ceph nautilus':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'debian-ceph-nautilus'),
|
|
command => 'flock -n /var/run/reprepro/debian-ceph-nautilus.lock reprepro-mirror-update /etc/reprepro/debian-ceph-nautilus mirror.deb-nautilus >>/var/log/reprepro/debian-ceph-nautilus-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['debian-ceph-nautilus-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
::openstack_project::reprepro { 'debian-ceph-octopus-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian-ceph-octopus',
|
|
basedir => '/afs/.openstack.org/mirror/ceph-deb-octopus',
|
|
distributions => 'openstack_project/reprepro/distributions.debian-ceph-octopus.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-ceph-octopus-updates',
|
|
releases => ['buster'],
|
|
}
|
|
|
|
cron { 'reprepro debian ceph octopus':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'debian-ceph-octopus'),
|
|
command => 'flock -n /var/run/reprepro/debian-ceph-octopus.lock reprepro-mirror-update /etc/reprepro/debian-ceph-octopus mirror.deb-octopus >>/var/log/reprepro/debian-ceph-octopus-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['debian-ceph-octopus-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
gnupg_key { 'Ceph Archive':
|
|
ensure => present,
|
|
# 08B7 3419 AC32 B4E9 66C1 A330 E84A C2C0 460F 3994
|
|
key_id => 'E84AC2C0460F3994',
|
|
user => 'root',
|
|
key_type => 'public',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/ceph-mirror-gpg-key.asc',
|
|
}
|
|
|
|
## Docker APT mirror
|
|
|
|
# Unfortunately docker upstream doesn't do the pool model correctly,
|
|
# and we have to mirror each distro separately to avoid file
|
|
# conflicts (they have the same .deb files)
|
|
::openstack_project::reprepro { 'debian-docker-bionic-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian-docker-bionic',
|
|
basedir => '/afs/.openstack.org/mirror/deb-docker/bionic',
|
|
distributions => 'openstack_project/reprepro/distributions.debian-docker.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-docker-updates',
|
|
releases => ['bionic'],
|
|
}
|
|
|
|
::openstack_project::reprepro { 'debian-docker-xenial-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian-docker-xenial',
|
|
basedir => '/afs/.openstack.org/mirror/deb-docker/xenial',
|
|
distributions => 'openstack_project/reprepro/distributions.debian-docker.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-docker-updates',
|
|
releases => ['xenial'],
|
|
}
|
|
|
|
::openstack_project::reprepro { 'debian-docker-focal-reprepro-mirror':
|
|
confdir => '/etc/reprepro/debian-docker-focal',
|
|
basedir => '/afs/.openstack.org/mirror/deb-docker/focal',
|
|
distributions => 'openstack_project/reprepro/distributions.debian-docker.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/debian-docker-updates',
|
|
releases => ['focal'],
|
|
}
|
|
|
|
cron { 'reprepro debian docker':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'debian-docker'),
|
|
command => 'flock -n /var/run/reprepro/debian-docker.lock bash -c "for DISTRO in xenial bionic focal; do reprepro-mirror-update /etc/reprepro/debian-docker-\$DISTRO mirror.deb-docker >>/var/log/reprepro/debian-docker-\$DISTRO-mirror.log; done" 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['debian-docker-xenial-reprepro-mirror'],
|
|
::Openstack_project::Reprepro['debian-docker-bionic-reprepro-mirror'],
|
|
::Openstack_project::Reprepro['debian-docker-focal-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
gnupg_key { 'Docker Archive':
|
|
ensure => present,
|
|
# pub 4096R/0EBFCD88 2017-02-22 Docker Release (CE deb) <docker@docker.com>
|
|
# fingerprint: 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
|
|
# Note the key that signs the release file is actually the subkey F273FCD8
|
|
key_id => '0EBFCD88',
|
|
user => 'root',
|
|
key_type => 'public',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/docker-mirror-gpg-key.asc',
|
|
}
|
|
|
|
## Puppetlabs APT mirror
|
|
::openstack_project::reprepro { 'apt-puppetlabs-reprepro-mirror':
|
|
confdir => '/etc/reprepro/apt-puppetlabs',
|
|
basedir => '/afs/.openstack.org/mirror/apt-puppetlabs',
|
|
distributions => 'openstack_project/reprepro/distributions.apt-puppetlabs.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/puppetlabs-debs',
|
|
releases => { 'xenial' => 'puppet5', 'stretch' => 'puppet5 puppet6', 'bionic' => 'puppet5 puppet6', 'focal' => 'puppet5 puppet6' },
|
|
}
|
|
|
|
cron { 'reprepro ubuntu puppetlabs':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'ubuntu-puppetlabs'),
|
|
command => 'flock -n /var/run/reprepro/apt-puppetlabs.lock reprepro-mirror-update /etc/reprepro/apt-puppetlabs mirror.apt-puppetlabs >>/var/log/reprepro/apt-puppetlabs-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['apt-puppetlabs-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
gnupg_key { 'Puppetlabs Archive':
|
|
ensure => present,
|
|
key_id => 'EF8D349F',
|
|
user => 'root',
|
|
key_type => 'public',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/puppetlabs-mirror-gpg-key.asc',
|
|
}
|
|
|
|
### CentOS mirror ###
|
|
file { '/etc/centos.keytab':
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0400',
|
|
content => $centos_keytab,
|
|
}
|
|
|
|
file { '/usr/local/bin/centos-mirror-update':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
source => 'puppet:///modules/openstack_project/mirror/centos-mirror-update.sh',
|
|
}
|
|
|
|
cron { 'centos mirror':
|
|
ensure => 'absent',
|
|
user => 'root',
|
|
minute => fqdn_rand(45, 'centos-mirror'),
|
|
hour => '*/2',
|
|
command => 'flock -n /var/run/centos-mirror.lock centos-mirror-update mirror.centos >>/var/log/centos-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/centos-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/centos.keytab'],
|
|
]
|
|
}
|
|
|
|
### Ubuntu Cloud Archive Mirror ###
|
|
::openstack_project::reprepro { 'ubuntu-cloud-archive-reprepro-mirror':
|
|
confdir => '/etc/reprepro/ubuntu-cloud-archive',
|
|
basedir => '/afs/.openstack.org/mirror/ubuntu-cloud-archive',
|
|
distributions => 'openstack_project/reprepro/distributions.ubuntu-cloud-archive.erb',
|
|
updates_file => 'puppet:///modules/openstack_project/reprepro/ubuntu-cloud-archive-updates',
|
|
releases => { 'xenial'=>['newton', 'ocata', 'pike', 'queens'], 'bionic'=>['rocky', 'stein', 'train', 'ussuri'], 'focal'=>['victoria'] },
|
|
}
|
|
|
|
cron { 'reprepro ubuntu-cloud-archive':
|
|
ensure => absent,
|
|
user => 'root',
|
|
hour => '*/2',
|
|
minute => fqdn_rand(45, 'ubuntu-cloud-archive-mirror'),
|
|
command => 'flock -n /var/run/reprepro/ubuntu-cloud-archive.lock reprepro-mirror-update /etc/reprepro/ubuntu-cloud-archive mirror.ubuntu-cloud >>/var/log/reprepro/ubuntu-cloud-archive-mirror.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
require => [
|
|
File['/usr/local/bin/reprepro-mirror-update'],
|
|
File['/etc/afsadmin.keytab'],
|
|
File['/etc/reprepro.keytab'],
|
|
::Openstack_project::Reprepro['ubuntu-cloud-archive-reprepro-mirror'],
|
|
]
|
|
}
|
|
|
|
gnupg_key { 'Canonical Cloud Archive Signing Key':
|
|
ensure => present,
|
|
# 391A 9AA2 1471 9283 9E9D B031 5EDB 1B62 EC49 26EA
|
|
key_id => '5EDB1B62EC4926EA',
|
|
user => 'root',
|
|
key_type => 'public',
|
|
key_source => 'puppet:///modules/openstack_project/reprepro/ubuntu-cloud-archive-gpg-key.asc',
|
|
}
|
|
|
|
# AFS Monitoring
|
|
# NOTE(ianw) 2020-02 : moved to mirror-update.opendev.org and ansible
|
|
cron { 'afsmon':
|
|
minute => [0, 30],
|
|
command => '/usr/afsmon-env/bin/afsmon statsd >> /var/log/afsmon.log 2>&1',
|
|
environment => 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
|
|
ensure => absent,
|
|
}
|
|
|
|
}
|