commit 65a6599dfe9795f2458fae03a233dba23c40e427 Author: Dan Prince Date: Wed Apr 13 10:59:50 2011 -0400 Initial commit. diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ccee7c1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.rake_test_cache + diff --git a/README b/README new file mode 100644 index 0000000..99ef4fe --- /dev/null +++ b/README @@ -0,0 +1,8 @@ += Openstack Cookbooks + +A set of Chef cookbooks for Openstack. + +== Description + +Chef cookbooks for nova, glance, mysql, etc. to help setup and configure +Openstack in Cloud Servers VPC type environments. diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..cdfe630 --- /dev/null +++ b/Rakefile @@ -0,0 +1,66 @@ +# +# Rakefile for Chef Server Repository +# +# Author:: Adam Jacob () +# Copyright:: Copyright (c) 2008 Opscode, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'rubygems' +require 'chef' +require 'json' + +# Load constants from rake config file. +require File.join(File.dirname(__FILE__), 'config', 'rake') + +# Detect the version control system and assign to $vcs. Used by the update +# task in chef_repo.rake (below). The install task calls update, so this +# is run whenever the repo is installed. +# +# Comment out these lines to skip the update. + +if File.directory?(File.join(TOPDIR, ".svn")) + $vcs = :svn +elsif File.directory?(File.join(TOPDIR, ".git")) + $vcs = :git +end + +# Load common, useful tasks from Chef. +# rake -T to see the tasks this loads. + +load 'chef/tasks/chef_repo.rake' + +desc "Bundle a single cookbook for distribution" +task :bundle_cookbook => [ :metadata ] +task :bundle_cookbook, :cookbook do |t, args| + tarball_name = "#{args.cookbook}.tar.gz" + temp_dir = File.join(Dir.tmpdir, "chef-upload-cookbooks") + temp_cookbook_dir = File.join(temp_dir, args.cookbook) + tarball_dir = File.join(TOPDIR, "pkgs") + FileUtils.mkdir_p(tarball_dir) + FileUtils.mkdir(temp_dir) + FileUtils.mkdir(temp_cookbook_dir) + + child_folders = [ "cookbooks/#{args.cookbook}", "site-cookbooks/#{args.cookbook}" ] + child_folders.each do |folder| + file_path = File.join(TOPDIR, folder, ".") + FileUtils.cp_r(file_path, temp_cookbook_dir) if File.directory?(file_path) + end + + system("tar", "-C", temp_dir, "-cvzf", File.join(tarball_dir, tarball_name), "./#{args.cookbook}") + + FileUtils.rm_rf temp_dir +end + diff --git a/certificates/README b/certificates/README new file mode 100644 index 0000000..2c94e19 --- /dev/null +++ b/certificates/README @@ -0,0 +1 @@ +This directory contains certificates created by the Rakefile. diff --git a/config/client.rb.example b/config/client.rb.example new file mode 100644 index 0000000..15be5db --- /dev/null +++ b/config/client.rb.example @@ -0,0 +1,21 @@ +# +# Example Chef Client Config File +# +# We recommend using Opscode's chef cookbook for managing chef itself, +# instead of using this file. It is provided as an example. + +log_level :info +log_location STDOUT +ssl_verify_mode :verify_none +chef_server_url "http://chef.example.com:4000" + +validation_client_name "chef-validator" +validation_key "/etc/chef/validation.pem" +client_key "/etc/chef/client.pem" + +file_store_path "/srv/chef/file_store" +file_cache_path "/srv/chef/cache" + +pid_file "/var/run/chef/chef-client.pid" + +Mixlib::Log::Formatter.show_time = true diff --git a/config/knife.rb.example b/config/knife.rb.example new file mode 100644 index 0000000..54620a5 --- /dev/null +++ b/config/knife.rb.example @@ -0,0 +1,10 @@ +log_level :info +log_location STDOUT +node_name 'chef_admin' +client_key '/home/chef_admin/.chef/chef_admin.pem' +validation_client_name 'chef-validator' +validation_key '/home/chef_admin/.chef/chef-validator.pem' +chef_server_url 'http://chef.example.com:4000' +cache_type 'BasicFile' +cache_options( :path => '/home/chef_admin/.chef/checksums' ) +cookbook_path [ './cookbooks', './site-cookbooks' ] diff --git a/config/rake.rb b/config/rake.rb new file mode 100644 index 0000000..b59d5d6 --- /dev/null +++ b/config/rake.rb @@ -0,0 +1,60 @@ +### +# Company and SSL Details +### + +# The company name - used for SSL certificates, and in srvious other places +COMPANY_NAME = "" + +# The Country Name to use for SSL Certificates +SSL_COUNTRY_NAME = "" + +# The State Name to use for SSL Certificates +SSL_STATE_NAME = "" + +# The Locality Name for SSL - typically, the city +SSL_LOCALITY_NAME = "" + +# What department? +SSL_ORGANIZATIONAL_UNIT_NAME = "" + +# The SSL contact email address +SSL_EMAIL_ADDRESS = "" + +# License for new Cookbooks +# Can be :apachev2 or :none +NEW_COOKBOOK_LICENSE = :none + +########################## +# Chef Repository Layout # +########################## + +# Where to install upstream cookbooks for serving +COOKBOOK_PATH = "/srv/chef/cookbooks" + +# Where to install site-local modifications to upstream cookbooks +SITE_COOKBOOK_PATH = "/srv/chef/site-cookbooks" + +# Where to install roles +ROLE_PATH = "/srv/chef/roles" + +# Chef Config Path +CHEF_CONFIG_PATH = "/etc/chef" + +# The location of the Chef Server Config file (on the server) +CHEF_SERVER_CONFIG = File.join(CHEF_CONFIG_PATH, "server.rb") + +# The location of the Chef Client Config file (on the client) +CHEF_CLIENT_CONFIG = File.join(CHEF_CONFIG_PATH, "client.rb") + +### +# Useful Extras (which you probably don't need to change) +### + +# The top of the repository checkout +TOPDIR = File.expand_path(File.join(File.dirname(__FILE__), "..")) + +# Where to store certificates generated with ssl_cert +CADIR = File.expand_path(File.join(TOPDIR, "certificates")) + +# Where to store the mtime cache for the recipe/template syntax check +TEST_CACHE = File.expand_path(File.join(TOPDIR, ".rake_test_cache")) diff --git a/config/server.rb.example b/config/server.rb.example new file mode 100644 index 0000000..120c2c2 --- /dev/null +++ b/config/server.rb.example @@ -0,0 +1,42 @@ +# +# Chef Server Config File +# +# We recommend using Opscode's chef cookbook for managing chef itself, +# instead of using this file. It is provided as an example. + +log_level :info +log_location STDOUT +ssl_verify_mode :verify_none +chef_server_url "http://chef.example.com:4000" + +signing_ca_path "/srv/chef/ca" +couchdb_database 'chef' + +cookbook_path [ "/srv/chef/cookbooks", "/srv/chef/site-cookbooks" ] + +file_cache_path "/srv/chef/cache" +node_path "/srv/chef/nodes" +openid_store_path "/srv/chef/openid/store" +openid_cstore_path "/srv/chef/openid/cstore" +search_index_path "/srv/chef/search_index" +role_path "/srv/chef/roles" + +validation_client_name "chef-validator" +validation_key "/etc/chef/validation.pem" +client_key "/etc/chef/client.pem" +web_ui_client_name "chef-webui" +web_ui_key "/etc/chef/webui.pem" + +# change this as required. +#web_ui_admin_user_name "admin" +#web_ui_admin_default_password "replace_with_something_secure" + +supportdir = "/srv/chef/support" +solr_jetty_path File.join(supportdir, "solr", "jetty") +solr_data_path File.join(supportdir, "solr", "data") +solr_home_path File.join(supportdir, "solr", "home") +solr_heap_size "256M" + +umask 0022 + +Mixlib::Log::Formatter.show_time = false diff --git a/config/solo.rb.example b/config/solo.rb.example new file mode 100644 index 0000000..b745665 --- /dev/null +++ b/config/solo.rb.example @@ -0,0 +1,13 @@ +# +# Chef Solo Config File +# + +log_level :info +log_location STDOUT +file_cache_path "/var/chef/cookbooks" + +# Optionally store your JSON data file and a tarball of cookbooks remotely. +#json_attribs "http://chef.example.com/dna.json" +#recipe_url "http://chef.example.com/cookbooks.tar.gz" + +Mixlib::Log::Formatter.show_time = false diff --git a/cookbooks/README b/cookbooks/README new file mode 100644 index 0000000..2dcf2fd --- /dev/null +++ b/cookbooks/README @@ -0,0 +1,2 @@ +Download cookbooks into this directory from the Opscode Cookbooks site +using knife, or remove this file to clone an upstream Git Repository. diff --git a/cookbooks/apt/README.md b/cookbooks/apt/README.md new file mode 100644 index 0000000..9eef585 --- /dev/null +++ b/cookbooks/apt/README.md @@ -0,0 +1,79 @@ +Description +=========== + +Configures various APT components on Debian-like systems. Also includes a LWRP. + +Recipes +======= + +default +------- + +The default recipe runs apt-get update during the Compile Phase of the Chef run to ensure that the system's package cache is updated with the latest. It is recommended that this recipe appear first in a node's run list (directly or through a role) to ensure that when installing packages, Chef will be able to download the latest version available on the remote APT repository. + +This recipe also sets up a local cache directory for preseeding packages. + +cacher +------ + +Installs the apt-cacher package and service so the system can be an APT cache. + +proxy +----- + +Installs the apt-proxy package and service so the system can be an APT proxy. + +Resources/Providers +=================== + +This cookbook contains an LWRP, `apt_repository`, which provides the `add` and `remove` actions for managing additional software repositories with entries in the `/etc/apt/sources.list.d/` directory. + +* `add` takes a number of attributes and creates a repository file and builds the repository listing. +* `remove` deletes the `/etc/apt/sources.list.d/#{new_resource.repo_name}-sources.list` file identified by the `repo_name` passed as the resource name. + +Usage +===== + +Put `recipe[apt]` first in the run list. If you have other recipes that you want to use to configure how apt behaves, like new sources, notify the execute resource to run, e.g.: + + template "/etc/apt/sources.list.d/my_apt_sources.list" do + notifies :run, resources(:execute => "apt-get update"), :immediately + end + +The above will run during execution phase since it is a normal template resource, and should appear before other package resources that need the sources in the template. + +An example of The LWRP `apt_repository` `add` action: + + apt_repository "zenoss" do + uri "http://dev.zenoss.org/deb" + distribution "main" + components ["stable"] + action :add + end + +and the `remove` action: + + apt_repository "zenoss" do + action :remove + end + +License and Author +================== + +Author:: Joshua Timberman () +Author:: Matt Ray () + +Copyright 2009, 2010 Opscode, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + diff --git a/cookbooks/apt/files/default/apt-cacher b/cookbooks/apt/files/default/apt-cacher new file mode 100644 index 0000000..dab9488 --- /dev/null +++ b/cookbooks/apt/files/default/apt-cacher @@ -0,0 +1,9 @@ +# apt-cacher startup configuration file + +# IMPORTANT: check the apt-cacher.conf file before using apt-cacher as daemon. + +# set to 1 to start the daemon at boot time +AUTOSTART=1 + +# extra settings to override the ones in apt-cacher.conf +# EXTRAOPT=" daemon_port=3142 limit=30 " diff --git a/cookbooks/apt/files/default/apt-cacher.conf b/cookbooks/apt/files/default/apt-cacher.conf new file mode 100644 index 0000000..32ca3c3 --- /dev/null +++ b/cookbooks/apt/files/default/apt-cacher.conf @@ -0,0 +1,144 @@ +# This file has been modified by ./apt-proxy-to-apt-cacher +# Some lines may have been appended at the bottom of this file +# This file has been modified by /usr/share/apt-cacher/apt-proxy-to-apt-cacher +# Some lines may have been appended at the bottom of this file +################################################################# +# This is the config file for apt-cacher. On most Debian systems +# you can safely leave the defaults alone. +################################################################# + +# cache_dir is used to set the location of the local cache. This can +# become quite large, so make sure it is somewhere with plenty of space. +cache_dir=/var/cache/apt-cacher + +# The email address of the administrator is displayed in the info page +# and traffic reports. +admin_email=root@localhost + +# For the daemon startup settings please edit the file /etc/default/apt-cacher. + +# Daemon port setting, only useful in stand-alone mode. You need to run the +# daemon as root to use privileged ports (<1024). +daemon_port = 3142 + +# optional settings, user and group to run the daemon as. Make sure they have +# sufficient permissions on the cache and log directories. Comment the settings +# to run apt-cacher as the native user. +group=www-data +user=www-data + +# optional setting, binds the listening daemon to one specified IP. Use IP +# ranges for more advanced configuration, see below. +# daemon_addr=localhost + +# If your apt-cacher machine is directly exposed to the Internet and you are +# worried about unauthorised machines fetching packages through it, you can +# specify a list of IPv4 addresses which are allowed to use it and another +# list of IPv4 addresses which aren't. +# Localhost (127.0.0.1) is always allowed. Other addresses must be matched +# by allowed_hosts and not by denied_hosts to be permitted to use the cache. +# Setting allowed_hosts to "*" means "allow all". +# Otherwise the format is a comma-separated list containing addresses, +# optionally with masks (like 10.0.0.0/22), or ranges of addresses (two +# addresses separated by a hyphen, no masks, like '192.168.0.3-192.168.0.56'). +allowed_hosts=* +denied_hosts= + +# And similiarly for IPv6 with allowed_hosts_6 and denied_hosts_6. +# Note that IPv4-mapped IPv6 addresses (::ffff:w.x.y.z) are truncated to +# w.x.y.z and are handled as IPv4. +allowed_hosts_6=fec0::/16 +denied_hosts_6= + +# This thing can be done by Apache but is much simplier here - limit access to +# Debian mirrors based on server names in the URLs +#allowed_locations=ftp.uni-kl.de,ftp.nerim.net,debian.tu-bs.de + +# Apt-cacher can generate usage reports every 24 hours if you set this +# directive to 1. You can view the reports in a web browser by pointing +# to your cache machine with '/apt-cacher/report' on the end, like this: +# http://yourcache.example.com/apt-cacher/report +# Generating reports is very fast even with many thousands of logfile +# lines, so you can safely turn this on without creating much +# additional system load. +generate_reports=1 + +# Apt-cacher can clean up its cache directory every 24 hours if you set +# this directive to 1. Cleaning the cache can take some time to run +# (generally in the order of a few minutes) and removes all package +# files that are not mentioned in any existing 'Packages' lists. This +# has the effect of deleting packages that have been superseded by an +# updated 'Packages' list. +clean_cache=1 + +# The directory to use for apt-cacher access and error logs. +# The access log records every request in the format: +# date-time|client ip address|HIT/MISS/EXPIRED|object size|object name +# The error log is slightly more free-form, and is also used for debug +# messages if debug mode is turned on. +# Note that the old 'logfile' and 'errorfile' directives are +# deprecated: if you set them explicitly they will be honoured, but it's +# better to just get rid of them from old config files. +logdir=/var/log/apt-cacher + +# apt-cacher can use different methods to decide whether package lists need to +# be updated, +# A) looking at the age of the cached files +# B) getting HTTP header from server and comparing that with cached data. This +# method is more reliable and avoids desynchronisation of data and index files +# but needs to transfer few bytes from the server every time somebody requests +# the files ("apt-get update") +# Set the following value to the maximum age (in hours) for method A or to 0 +# for method B +expire_hours=0 + +# Apt-cacher can pass all its requests to an external http proxy like +# Squid, which could be very useful if you are using an ISP that blocks +# port 80 and requires all web traffic to go through its proxy. The +# format is 'hostname:port', eg: 'proxy.example.com:8080'. +http_proxy=proxy.example.com:8080 + +# Use of an external proxy can be turned on or off with this flag. +# Value should be either 0 (off) or 1 (on). +use_proxy=0 + +# External http proxy sometimes need authentication to get full access. The +# format is 'username:password'. +http_proxy_auth=proxyuser:proxypass + +# Use of external proxy authentication can be turned on or off with this flag. +# Value should be either 0 (off) or 1 (on). +use_proxy_auth=0 + +# Rate limiting sets the maximum bandwidth in bytes per second to use +# for fetching packages. Syntax is fully defined in 'man wget'. +# Use 'k' or 'm' to use kilobits or megabits / second: eg, 'limit=25k'. +# Use 0 or a negative value for no rate limiting. +limit=0 + +# Debug mode makes apt-cacher spew a lot of extra debug junk to the +# error log (whose location is defined with the 'logdir' directive). +# Leave this off unless you need it, or your error log will get very +# big. Acceptable values are 0 or 1. +debug=0 + +# Adapt the line in the usage info web page to match your server configuration +# example_sources_line=deb http://my.cacher.server:3142/ftp.au.debian.org/debian unstable main contrib non-free + +# Print a 410 (Gone) HTTP message with the specified text when accessed via +# CGI. Useful to tell users to adapt their sources.list files when the +# apt-cacher server is beeing relocated (via apt-get's error messages while +# running "update") +#cgi_advise_to_use = Please use http://cacheserver:3142/ as apt-cacher access URL +#cgi_advise_to_use = Server relocated. To change sources.list, run perl -pe "s,/apt-cacher\??,:3142," -i /etc/apt/sources.list + +# Server mapping - this allows to hide real server names behind virtual paths +# that appear in the access URL. This method is known from apt-proxy. This is +# also the only method to use FTP access to the target hosts. The syntax is simple, the part of the beginning to replace, followed by a list of mirror urls, all space separated. Multiple profile are separated by semicolons +# path_map = debian ftp.uni-kl.de/pub/linux/debian ftp2.de.debian.org/debian ; ubuntu archive.ubuntu.com/ubuntu ; security security.debian.org/debian-security ftp2.de.debian.org/debian-security +# Note that you need to specify all target servers in the allowed_locations +# options if you make use of it. Also note that the paths should not overlap +# each other. FTP access method not supported yet, maybe in the future. + +# extra setting from apt-proxy configuration +path_map = ubuntu us.archive.ubuntu.com/ubuntu ; ubuntu-security security.ubuntu.com/ubuntu ; debian debian.osuosl.org/debian/ ; security security.debian.org/debian-security diff --git a/cookbooks/apt/files/default/apt-proxy-v2.conf b/cookbooks/apt/files/default/apt-proxy-v2.conf new file mode 100644 index 0000000..6541f25 --- /dev/null +++ b/cookbooks/apt/files/default/apt-proxy-v2.conf @@ -0,0 +1,50 @@ +[DEFAULT] +;; All times are in seconds, but you can add a suffix +;; for minutes(m), hours(h) or days(d) + +;; commented out address so apt-proxy will listen on all IPs +;; address = 127.0.0.1 +port = 9999 +cache_dir = /var/cache/apt-proxy + +;; Control files (Packages/Sources/Contents) refresh rate +min_refresh_delay = 1s +complete_clientless_downloads = 1 + +;; Debugging settings. +debug = all:4 db:0 + +time = 30 +passive_ftp = on + +;;-------------------------------------------------------------- +;; Cache housekeeping + +cleanup_freq = 1d +max_age = 120d +max_versions = 3 + +;;--------------------------------------------------------------- +;; Backend servers +;; +;; Place each server in its own [section] + +[ubuntu] +; Ubuntu archive +backends = + http://us.archive.ubuntu.com/ubuntu + +[ubuntu-security] +; Ubuntu security updates +backends = http://security.ubuntu.com/ubuntu + +[debian] +;; Backend servers, in order of preference +backends = + http://debian.osuosl.org/debian/ + +[security] +;; Debian security archive +backends = + http://security.debian.org/debian-security + http://ftp2.de.debian.org/debian-security diff --git a/cookbooks/apt/metadata.json b/cookbooks/apt/metadata.json new file mode 100644 index 0000000..4a0d0af --- /dev/null +++ b/cookbooks/apt/metadata.json @@ -0,0 +1,46 @@ +{ + "platforms": { + "debian": [ + + ], + "ubuntu": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Configures apt and apt services", + "version": "0.9.2", + "suggestions": { + + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "apt", + "recipes": { + "apt::proxy": "Set up an APT proxy", + "apt": "Runs apt-get update during compile phase and sets up preseed directories", + "apt::cacher": "Set up an APT cache" + }, + "dependencies": { + + }, + "long_description": "", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/apt/metadata.rb b/cookbooks/apt/metadata.rb new file mode 100644 index 0000000..baf2448 --- /dev/null +++ b/cookbooks/apt/metadata.rb @@ -0,0 +1,12 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Configures apt and apt services" +version "0.9.2" +recipe "apt", "Runs apt-get update during compile phase and sets up preseed directories" +recipe "apt::cacher", "Set up an APT cache" +recipe "apt::proxy", "Set up an APT proxy" + +%w{ ubuntu debian }.each do |os| + supports os +end diff --git a/cookbooks/apt/providers/repository.rb b/cookbooks/apt/providers/repository.rb new file mode 100644 index 0000000..b702d52 --- /dev/null +++ b/cookbooks/apt/providers/repository.rb @@ -0,0 +1,44 @@ +action :add do + unless ::File.exists?("/etc/apt/sources.list.d/#{new_resource.repo_name}-source.list") + Chef::Log.info "Adding #{new_resource.repo_name} repository to /etc/apt/sources.list.d/#{new_resource.repo_name}-source.list" + # add key + if new_resource.key && new_resource.keyserver + e = execute "install-key #{new_resource.key}" do + command "apt-key adv --keyserver #{new_resource.keyserver} --recv #{new_resource.key}" + action :run + end + e.run_action(:run) + end + # build our listing + repository = "deb" + repository = "deb-src" if new_resource.deb_src + repository = "# Created by the Chef apt_repository LWRP\n" + repository + repository += " #{new_resource.uri}" + repository += " #{new_resource.distribution}" + new_resource.components.each {|component| repository += " #{component}"} + # write out the file, replace it if it already exists + file "/etc/apt/sources.list.d/#{new_resource.repo_name}-source.list" do + owner "root" + group "root" + mode 0644 + content repository + "\n" + action :create + end + e = execute "update package index" do + command "apt-get update" + action :run + end + e.run_action(:run) + new_resource.updated_by_last_action(true) + end +end + +action :remove do + if ::File.exists?("/etc/apt/sources.list.d/#{new_resource.repo_name}-source.list") + Chef::Log.info "Removing #{new_resource.repo_name} repository from /etc/apt/sources.list.d/" + file "/etc/apt/sources.list.d/#{new_resource.repo_name}-source.list" do + action :delete + end + new_resource.updated_by_last_action(true) + end +end diff --git a/cookbooks/apt/recipes/cacher.rb b/cookbooks/apt/recipes/cacher.rb new file mode 100644 index 0000000..f6fed58 --- /dev/null +++ b/cookbooks/apt/recipes/cacher.rb @@ -0,0 +1,42 @@ +# +# Cookbook Name:: apt +# Recipe:: cacher +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +package "apt-cacher" do + action :install +end + +service "apt-cacher" do + supports :restart => true, :status => false + action [ :enable, :start ] +end + +cookbook_file "/etc/apt-cacher/apt-cacher.conf" do + source "apt-cacher.conf" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "apt-cacher") +end + +cookbook_file "/etc/default/apt-cacher" do + source "apt-cacher" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "apt-cacher") +end diff --git a/cookbooks/apt/recipes/default.rb b/cookbooks/apt/recipes/default.rb new file mode 100644 index 0000000..d1117a7 --- /dev/null +++ b/cookbooks/apt/recipes/default.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: apt +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +e = execute "apt-get update" do + action :nothing +end + +e.run_action(:run) + +%w{/var/cache/local /var/cache/local/preseeding}.each do |dirname| + directory dirname do + owner "root" + group "root" + mode 0755 + action :create + end +end diff --git a/cookbooks/apt/recipes/proxy.rb b/cookbooks/apt/recipes/proxy.rb new file mode 100644 index 0000000..b843fa1 --- /dev/null +++ b/cookbooks/apt/recipes/proxy.rb @@ -0,0 +1,34 @@ +# +# Cookbook Name:: apt +# Recipe:: proxy +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +package "apt-proxy" do + action :install +end + +service "apt-proxy" do + supports :restart => true, :status => false + action [ :enable, :start ] +end + +cookbook_file "/etc/apt-proxy/apt-proxy-v2.conf" do + source "apt-proxy-v2.conf" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "apt-proxy") +end diff --git a/cookbooks/apt/resources/repository.rb b/cookbooks/apt/resources/repository.rb new file mode 100644 index 0000000..266e81f --- /dev/null +++ b/cookbooks/apt/resources/repository.rb @@ -0,0 +1,11 @@ +actions :add, :remove + +#name of the repo, used for source.list filename +attribute :repo_name, :kind_of => String, :name_attribute => true +attribute :key, :kind_of => String, :default => nil +attribute :keyserver, :kind_of => String, :default => nil +attribute :uri, :kind_of => String +#whether or not to add the repository as a source repo as well +attribute :deb_src, :default => false +attribute :distribution, :kind_of => String +attribute :components, :kind_of => Array, :default => [] diff --git a/cookbooks/build-essential/metadata.json b/cookbooks/build-essential/metadata.json new file mode 100644 index 0000000..8c356df --- /dev/null +++ b/cookbooks/build-essential/metadata.json @@ -0,0 +1,47 @@ +{ + "platforms": { + "debian": [ + + ], + "centos": [ + + ], + "ubuntu": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs C compiler / build tools", + "version": "0.7.0", + "suggestions": { + + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "build-essential", + "recipes": { + + }, + "dependencies": { + + }, + "long_description": "", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/build-essential/metadata.rb b/cookbooks/build-essential/metadata.rb new file mode 100644 index 0000000..5e1613e --- /dev/null +++ b/cookbooks/build-essential/metadata.rb @@ -0,0 +1,9 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs C compiler / build tools" +version "0.7" + +%w{ centos ubuntu debian }.each do |os| + supports os +end diff --git a/cookbooks/build-essential/recipes/default.rb b/cookbooks/build-essential/recipes/default.rb new file mode 100644 index 0000000..b4dcce0 --- /dev/null +++ b/cookbooks/build-essential/recipes/default.rb @@ -0,0 +1,43 @@ +# +# Cookbook Name:: build-essential +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +case node[:platform] +when "ubuntu","debian" + %w{build-essential binutils-doc}.each do |pkg| + package pkg do + action :install + end + end +when "centos" + package "gcc" do + action :install + end +end + +package "autoconf" do + action :install +end + +package "flex" do + action :install +end + +package "bison" do + action :install +end diff --git a/cookbooks/glance/README.rdoc b/cookbooks/glance/README.rdoc new file mode 100644 index 0000000..b7f4f00 --- /dev/null +++ b/cookbooks/glance/README.rdoc @@ -0,0 +1,14 @@ += DESCRIPTION: + +Chef Cookbooks to setup Glance API and Registry. + += REQUIREMENTS: + +Requires access to glance packages. + += ATTRIBUTES: + +See attributes/default.rb. + += USAGE: + diff --git a/cookbooks/glance/attributes/default.rb b/cookbooks/glance/attributes/default.rb new file mode 100644 index 0000000..4b39096 --- /dev/null +++ b/cookbooks/glance/attributes/default.rb @@ -0,0 +1,21 @@ +default[:glance][:config_file]="/etc/glance/glance.conf" +default[:glance][:log_dir]="/var/log/glance" +default[:glance][:working_directory]="/var/lib/glance" +default[:glance][:pid_directory]="/var/run/glance/" + +default[:glance][:verbose] = "True" +default[:glance][:debug] = "True" +default[:glance][:api_bind_host] = "0.0.0.0" +default[:glance][:api_bind_port] = "9292" +default[:glance][:registry_host] = "0.0.0.0" +default[:glance][:registry_bind_host] = "0.0.0.0" +default[:glance][:registry_bind_port] = "9191" +default[:glance][:sql_connection] = "sqlite:////var/lib/glance/glance.sqlite" +default[:glance][:sql_idle_timeout] = "3600" + +#default_store choices are: file, http, https, swift, s3 +default[:glance][:default_store] = "file" +default[:glance][:filesystem_store_datadir] = "/var/lib/glance/images" + +# automatically glance upload the tty linux image. (glance::setup recipe) +default[:glance][:tty_linux_image] = "http://images.ansolabs.com/tty.tgz" diff --git a/cookbooks/glance/definitions/glance_service.rb b/cookbooks/glance/definitions/glance_service.rb new file mode 100644 index 0000000..968f9aa --- /dev/null +++ b/cookbooks/glance/definitions/glance_service.rb @@ -0,0 +1,16 @@ +define :glance_service do + + service_name="glance-#{params[:name]}" + pidfile="#{node[:glance][:pid_directory]}/#{service_name}.pid" + + service service_name do + start_command "cd #{node[:glance][:working_directory]} && su -c 'glance-control #{params[:name]} start --pid-file=#{pidfile}' glance" + stop_command "su -c 'glance-control #{params[:name]} stop --pid-file=#{pidfile}' glance" + restart_command "su -c 'glance-control #{params[:name]} restart --pid-file=#{pidfile}' glance" + status_command "pgrep #{service_name}" + supports :status => true, :restart => true + action :start + subscribes :restart, resources(:template => "/etc/glance/glance.conf") + end + +end diff --git a/cookbooks/glance/metadata.rb b/cookbooks/glance/metadata.rb new file mode 100644 index 0000000..c24826a --- /dev/null +++ b/cookbooks/glance/metadata.rb @@ -0,0 +1,6 @@ +maintainer "Dan Prince" +maintainer_email "dan.prince@rackspace.com" +license "Apache 2.0" +description "Installs/Configures Glance" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.1" diff --git a/cookbooks/glance/recipes/api.rb b/cookbooks/glance/recipes/api.rb new file mode 100644 index 0000000..64cf0a1 --- /dev/null +++ b/cookbooks/glance/recipes/api.rb @@ -0,0 +1,9 @@ +# +# Cookbook Name:: glance +# Recipe:: api +# +# + +include_recipe "#{@cookbook_name}::common" + +glance_service "api" diff --git a/cookbooks/glance/recipes/common.rb b/cookbooks/glance/recipes/common.rb new file mode 100644 index 0000000..d2336fc --- /dev/null +++ b/cookbooks/glance/recipes/common.rb @@ -0,0 +1,28 @@ +# +# Cookbook Name:: glance +# Recipe:: common +# +# + +package "glance" do + options "--force-yes" + action :install +end + +[node[:glance][:log_dir], node[:glance][:working_directory], File::dirname(node[:glance][:config_file]), node[:glance][:pid_directory]].each do |glance_dir| + + directory glance_dir do + owner "glance" + group "root" + mode "0755" + action :create + end + +end + +template node[:glance][:config_file] do + source "glance.conf.erb" + owner "glance" + group "root" + mode 0644 +end diff --git a/cookbooks/glance/recipes/default.rb b/cookbooks/glance/recipes/default.rb new file mode 100644 index 0000000..7c8a094 --- /dev/null +++ b/cookbooks/glance/recipes/default.rb @@ -0,0 +1,5 @@ +# +# Cookbook Name:: glance +# Recipe:: default +# +# diff --git a/cookbooks/glance/recipes/registry.rb b/cookbooks/glance/recipes/registry.rb new file mode 100644 index 0000000..3222277 --- /dev/null +++ b/cookbooks/glance/recipes/registry.rb @@ -0,0 +1,9 @@ +# +# Cookbook Name:: glance +# Recipe:: registry +# +# + +include_recipe "#{@cookbook_name}::common" + +glance_service "registry" diff --git a/cookbooks/glance/recipes/setup.rb b/cookbooks/glance/recipes/setup.rb new file mode 100644 index 0000000..7857a6a --- /dev/null +++ b/cookbooks/glance/recipes/setup.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: glance +# Recipe:: setup +# + +include_recipe "#{@cookbook_name}::common" + +bash "tty linux setup" do + cwd "/tmp" + user "root" + code <<-EOH + mkdir -p /var/lib/glance/ + curl #{node[:glance][:tty_linux_image]} | tar xvz -C /tmp/ + glance-upload --type ramdisk /tmp/ari-tty/image ari-tty + glance-upload --type kernel /tmp/aki-tty/image aki-tty + glance-upload --type machine /tmp/ami-tty/image ami-tty --ramdisk=1 --kernel=2 + touch /var/lib/glance/tty_setup + EOH + not_if do File.exists?("/var/lib/glance/tty_setup") end +end diff --git a/cookbooks/glance/templates/default/glance.conf.erb b/cookbooks/glance/templates/default/glance.conf.erb new file mode 100644 index 0000000..0e6973b --- /dev/null +++ b/cookbooks/glance/templates/default/glance.conf.erb @@ -0,0 +1,56 @@ +#--working_directory=<%= node[:glance][:working_directory] %> +#--logdir=<%= node[:glance][:logdir] %> + +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +verbose = <%= node[:glance][:verbose] %> + +# Show debugging output in logs (sets DEBUG log level output) +debug = <%= node[:glance][:debug] %> + +[app:glance-api] +paste.app_factory = glance.server:app_factory + +# Directory that the Filesystem backend store +# writes image data to +filesystem_store_datadir=<%= node[:glance][:filesystem_store_datadir] %> + +# Which backend store should Glance use by default is not specified +# in a request to add a new image to Glance? Default: 'file' +# Available choices are 'file', 'swift', and 's3' +default_store = <%= node[:glance][:default_store] %> + +# Address to bind the API server +bind_host = <%= node[:glance][:api_bind_host] %> + +# Port the bind the API server to +bind_port = <%= node[:glance][:api_bind_port] %> + +# Address to find the registry server +registry_host = <%= node[:glance][:registry_host] %> + +# Port the registry server is listening on +registry_port = <%= node[:glance][:registry_bind_port] %> + +[app:glance-registry] +paste.app_factory = glance.registry.server:app_factory + +# Address to bind the registry server +bind_host = <%= node[:glance][:registry_bind_host] %> + +# Port the bind the registry server to +bind_port = <%= node[:glance][:registry_bind_port] %> + +# SQLAlchemy connection string for the reference implementation +# registry server. Any valid SQLAlchemy connection string is fine. +# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine +sql_connection = <%= node[:glance][:sql_connection] %> + +# Period in seconds after which SQLAlchemy should reestablish its connection +# to the database. +# +# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop +# idle connections. This can result in 'MySQL Gone Away' exceptions. If you +# notice this, you can lower this value to ensure that SQLAlchemy reconnects +# before MySQL can drop the connection. +sql_idle_timeout = 3600 diff --git a/cookbooks/mysql/README.rdoc b/cookbooks/mysql/README.rdoc new file mode 100644 index 0000000..97181d3 --- /dev/null +++ b/cookbooks/mysql/README.rdoc @@ -0,0 +1,143 @@ += DESCRIPTION: + +Installs and configures MySQL client or server. + += REQUIREMENTS: + +== Platform: + +Best tested on Ubuntu 9.04,9.10. On EC2, requires platform that supports -o bind option for the 'mount' command. + +== Cookbooks: + +Requires Opscode's openssl cookbook for secure password generation. + +Requires a C compiler and Ruby development package in order to build mysql gem with native extensions. On Debian and Ubuntu systems this is satisfied by installing the "build-essential" and "ruby-dev" packages before running Chef. See USAGE below for information on how to handle this during a Chef run. + += RESOURCES AND PROVIDERS + +The cookbook contains a LWRP, +mysql_database+ which can be used to manage databases through calls to the MySQL API. The mysql gem is installed to make this usable. The provider currently supports three actions: + +* +flush_tables_with_read_lock+ - sends the sql command "flush tables with read lock", used for setting up mysql master/slave replication. +* +unflush_tables+ - sends the sql command "unflush tables", used for setting up master/slave replication. +* +create_db+ - specify a database to be created. + +For example see the USAGE section below. + += ATTRIBUTES: + +* +mysql[:server_root_password]+ - Set the server's root password with this, default is a randomly generated password with +OpenSSL::Random.random_bytes+. +* +mysql[:server_repl_password]+ - Set the replication user 'repl' password with this, default is a randomly generated password with +OpenSSL::Random.random_bytes+. +* +mysql[:server_debian_password]+ - Set the debian-sys-maint user password with this, default is a randomly generated password with +OpenSSL::Random.random_bytes+. +* +mysql[:bind_address]+ - Listen address for MySQLd, default is node's ipaddress. +* +mysql[:datadir]+ - Location for mysql data directory, default is "/var/lib/mysql" +* +mysql[:ec2_path]+ - location of mysql datadir on EC2 nodes, default "/mnt/mysql" + +Performance tuning attributes, each corresponds to the same-named parameter in my.cnf; default values listed + +* +mysql[:tunable][:key_buffer]+ = "250M" +* +mysql[:tunable][:max_connections]+ = "800" +* +mysql[:tunable][:wait_timeout]+ = "180" +* +mysql[:tunable][:net_write_timeout]+ = "30" +* +mysql[:tunable][:net_write_timeout]+ = "30" +* +mysql[:tunable][:back_log]+ = "128" +* +mysql[:tunable][:table_cache]+ = "128" +* +mysql[:tunable][:max_heap_table_size]+ = "32M" + += USAGE: + +On client nodes, + + include_recipe "mysql::client" + +This will install the MySQL client libraries and development headers on the system. It will also install the Ruby Gem +mysql+, so that the cookbook's LWRP (above) can be used. This is done during the compile-phase of the Chef run. + + r = package ... do + action :nothing + end + + r.run_action(:install) + +This creates a resource object for the package and does the installation before other recipes are parsed. You'll need to have the C compiler and such (ie, build-essential on Ubuntu) before running the recipes, but we already do that when installing Chef :-). If you want to be able to access a MySQL database via Ruby within another recipe, you could do so, like so: + + Gem.clear_paths # needed for Chef to find the gem... + require 'mysql' # requires the mysql gem + + mysql_database "create application_production database" do + host "localhost" + username "root" + password node[:mysql][:server_root_password] + database "application_production" + action :create_db + end + +This will connect to the MySQL server running on localhost as "root" and password as +mysql[:server_root_password]+ attribute (see below) and create the database specified with the +database+ parameter. The provider will attempt to determine whether the database exists first. + +On server nodes, + + include_recipe "mysql::server" + +On Debian and Ubuntu, this will preseed the mysql-server package with the randomly generated root password from the attributes file. On other platforms, it simply installs the required packages. It will also create an SQL file, /etc/mysql/grants.sql, that will be used to set up grants for the root, repl and debian-sys-maint users. + +On EC2 nodes, + + include_recipe "mysql::server_ec2" + +When the ec2_path doesn't exist we look for a mounted filesystem (eg, EBS) and move the datadir there. + +The client recipe is already included by server and 'default' recipes. + +To make sure that a C compiler and the Ruby development libraries are installed, use the following run list in the node or in a role: + + { + "run_list": [ + "recipe[build-essential]", + "recipe[ruby]", + "recipe[mysql::server]" + ] + } + +The build-essential and ruby cookbooks install the packages in question during the "execution" phase of the Chef client run, rather than the compile phase when the MySQL gem is installed. To work around this for now until the build-essential and ruby packages are updated, modify your local copies of the recipes: + +In the Opscode build-essential default recipe: + + %w{build-essential binutils-doc}.each do |pkg| + p = package pkg do + action :nothing + end + p.run_action(:install) + end + +And the ruby recipe to have the following: + + extra_packages.each do |pkg| + p = package pkg do + action :nothing + end + p.run_action(:install) + end + +These cookbooks aren't strict dependencies, and not if the installation process already included installing build-essential and ruby1.8-dev (e.g. RubyGems installation). + +For more infromation on the compile vs execution phase of a Chef run: + + http://wiki.opscode.com/display/chef/Anatomy+of+a+Chef+Run + += LICENSE and AUTHOR: + +Author:: Joshua Timberman () +Author:: AJ Christensen () + +Copyright:: 2009, Opscode, Inc + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/cookbooks/mysql/attributes/server.rb b/cookbooks/mysql/attributes/server.rb new file mode 100644 index 0000000..d36376d --- /dev/null +++ b/cookbooks/mysql/attributes/server.rb @@ -0,0 +1,56 @@ +# +# Cookbook Name:: mysql +# Attributes:: server +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +::Chef::Node.send(:include, Opscode::OpenSSL::Password) + +set_unless[:mysql][:server_debian_password] = secure_password +set_unless[:mysql][:server_root_password] = secure_password +set_unless[:mysql][:server_repl_password] = secure_password +default[:mysql][:bind_address] = ipaddress +default[:mysql][:datadir] = "/var/lib/mysql" + +if attribute?(:ec2) + default[:mysql][:ec2_path] = "/mnt/mysql" + default[:mysql][:ebs_vol_dev] = "/dev/sdi" + default[:mysql][:ebs_vol_size] = 50 +end + +default[:mysql][:tunable][:back_log] = "128" +default[:mysql][:tunable][:key_buffer] = "256M" +default[:mysql][:tunable][:max_allowed_packet] = "16M" +default[:mysql][:tunable][:max_connections] = "800" +default[:mysql][:tunable][:max_heap_table_size] = "32M" +default[:mysql][:tunable][:myisam_recover] = "BACKUP" +default[:mysql][:tunable][:net_read_timeout] = "30" +default[:mysql][:tunable][:net_write_timeout] = "30" +default[:mysql][:tunable][:table_cache] = "128" +default[:mysql][:tunable][:table_open_cache] = "128" +default[:mysql][:tunable][:thread_cache] = "128" +default[:mysql][:tunable][:thread_cache_size] = 8 +default[:mysql][:tunable][:thread_concurrency] = 10 +default[:mysql][:tunable][:thread_stack] = "256K" +default[:mysql][:tunable][:wait_timeout] = "180" + +default[:mysql][:tunable][:query_cache_limit] = "1M" +default[:mysql][:tunable][:query_cache_size] = "16M" + +default[:mysql][:tunable][:log_slow_queries] = "/var/log/mysql/slow.log" +default[:mysql][:tunable][:long_query_time] = 2 + +default[:mysql][:tunable][:innodb_buffer_pool_size] = "256M" diff --git a/cookbooks/mysql/libraries/database.rb b/cookbooks/mysql/libraries/database.rb new file mode 100644 index 0000000..8f9be21 --- /dev/null +++ b/cookbooks/mysql/libraries/database.rb @@ -0,0 +1,15 @@ +begin + require 'mysql' +rescue LoadError + Chef::Log.warn("Missing gem 'mysql'") +end + +module Opscode + module Mysql + module Database + def db + @@db ||= ::Mysql.new new_resource.host, new_resource.username, new_resource.password + end + end + end +end diff --git a/cookbooks/mysql/metadata.json b/cookbooks/mysql/metadata.json new file mode 100644 index 0000000..4ce4914 --- /dev/null +++ b/cookbooks/mysql/metadata.json @@ -0,0 +1,246 @@ +{ + "platforms": { + "debian": [ + + ], + "fedora": [ + + ], + "centos": [ + + ], + "suse": [ + + ], + "ubuntu": [ + + ], + "redhat": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs and configures mysql for client or server", + "version": "0.24.4", + "suggestions": { + + }, + "attributes": { + "mysql/server_root_password": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "randomly generated", + "type": "string", + "recipes": [ + + ], + "description": "Randomly generated password for the mysqld root user", + "display_name": "MySQL Server Root Password" + }, + "mysql/tunable/max_heap_table_size": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "32M", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Max Heap Table Size" + }, + "mysql/datadir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/var/lib/mysql", + "type": "string", + "recipes": [ + + ], + "description": "Location of mysql databases", + "display_name": "MySQL Data Directory" + }, + "mysql/bind_address": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "ipaddress", + "type": "string", + "recipes": [ + + ], + "description": "Address that mysqld should listen on", + "display_name": "MySQL Bind Address" + }, + "mysql/tunable/back_log": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "128", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Back Log" + }, + "mysql/tunable/wait_timeout": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "180", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Wait Timeout" + }, + "mysql/tunable/net_read_timeout": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "30", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Net Read Timeout" + }, + "mysql/tunable/max_connections": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "800", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Max Connections" + }, + "mysql/tunable/table_open_cache": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "128", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Table Cache for MySQL >= 5.1.3" + }, + "mysql/tunable/table_cache": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "128", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Table Cache for MySQL < 5.1.3" + }, + "mysql/tunable": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "type": "hash", + "recipes": [ + + ], + "description": "Hash of MySQL tunable attributes", + "display_name": "MySQL Tunables" + }, + "mysql/ec2_path": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/mnt/mysql", + "type": "string", + "recipes": [ + + ], + "description": "Location of mysql directory on EC2 instance EBS volumes", + "display_name": "MySQL EC2 Path" + }, + "mysql/tunable/net_write_timeout": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "30", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tunable Net Write Timeout" + }, + "mysql/tunable/key_buffer": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "250M", + "type": "string", + "recipes": [ + + ], + "display_name": "MySQL Tuntable Key Buffer" + } + }, + "conflicting": { + + }, + "name": "mysql", + "recipes": { + "mysql": "Includes the client recipe to configure a client", + "mysql::client": "Installs packages required for mysql clients using run_action magic", + "mysql::server_ec2": "Performs EC2-specific mountpoint manipulation", + "mysql::server": "Installs packages required for mysql servers w/o manual intervention" + }, + "dependencies": { + "openssl": [ + + ] + }, + "long_description": "= DESCRIPTION:\n\nInstalls and configures MySQL client or server.\n\n= REQUIREMENTS:\n\n== Platform:\n\nBest tested on Ubuntu 9.04,9.10. On EC2, requires platform that supports -o bind option for the 'mount' command.\n\n== Cookbooks:\n\nRequires Opscode's openssl cookbook for secure password generation.\n\nRequires a C compiler and Ruby development package in order to build mysql gem with native extensions. On Debian and Ubuntu systems this is satisfied by installing the \"build-essential\" and \"ruby-dev\" packages before running Chef. See USAGE below for information on how to handle this during a Chef run.\n\n= RESOURCES AND PROVIDERS\n\nThe cookbook contains a LWRP, +mysql_database+ which can be used to manage databases through calls to the MySQL API. The mysql gem is installed to make this usable. The provider currently supports three actions:\n\n* +flush_tables_with_read_lock+ - sends the sql command \"flush tables with read lock\", used for setting up mysql master/slave replication.\n* +unflush_tables+ - sends the sql command \"unflush tables\", used for setting up master/slave replication.\n* +create_db+ - specify a database to be created.\n\nFor example see the USAGE section below.\n\n= ATTRIBUTES:\n\n* +mysql[:server_root_password]+ - Set the server's root password with this, default is a randomly generated password with +OpenSSL::Random.random_bytes+.\n* +mysql[:server_repl_password]+ - Set the replication user 'repl' password with this, default is a randomly generated password with +OpenSSL::Random.random_bytes+.\n* +mysql[:server_debian_password]+ - Set the debian-sys-maint user password with this, default is a randomly generated password with +OpenSSL::Random.random_bytes+.\n* +mysql[:bind_address]+ - Listen address for MySQLd, default is node's ipaddress.\n* +mysql[:datadir]+ - Location for mysql data directory, default is \"/var/lib/mysql\"\n* +mysql[:ec2_path]+ - location of mysql datadir on EC2 nodes, default \"/mnt/mysql\"\n\nPerformance tuning attributes, each corresponds to the same-named parameter in my.cnf; default values listed\n\n* +mysql[:tunable][:key_buffer]+ = \"250M\"\n* +mysql[:tunable][:max_connections]+ = \"800\"\n* +mysql[:tunable][:wait_timeout]+ = \"180\"\n* +mysql[:tunable][:net_write_timeout]+ = \"30\"\n* +mysql[:tunable][:net_write_timeout]+ = \"30\"\n* +mysql[:tunable][:back_log]+ = \"128\"\n* +mysql[:tunable][:table_cache]+ = \"128\"\n* +mysql[:tunable][:max_heap_table_size]+ = \"32M\"\n\n= USAGE:\n\nOn client nodes,\n\n include_recipe \"mysql::client\"\n\nThis will install the MySQL client libraries and development headers on the system. It will also install the Ruby Gem +mysql+, so that the cookbook's LWRP (above) can be used. This is done during the compile-phase of the Chef run.\n\n r = package ... do\n action :nothing\n end\n\n r.run_action(:install)\n\nThis creates a resource object for the package and does the installation before other recipes are parsed. You'll need to have the C compiler and such (ie, build-essential on Ubuntu) before running the recipes, but we already do that when installing Chef :-). If you want to be able to access a MySQL database via Ruby within another recipe, you could do so, like so:\n\n Gem.clear_paths # needed for Chef to find the gem...\n require 'mysql' # requires the mysql gem\n\n mysql_database \"create application_production database\" do\n host \"localhost\"\n username \"root\"\n password node[:mysql][:server_root_password]\n database \"application_production\"\n action :create_db\n end\n\nThis will connect to the MySQL server running on localhost as \"root\" and password as +mysql[:server_root_password]+ attribute (see below) and create the database specified with the +database+ parameter. The provider will attempt to determine whether the database exists first.\n\nOn server nodes,\n\n include_recipe \"mysql::server\"\n\nOn Debian and Ubuntu, this will preseed the mysql-server package with the randomly generated root password from the attributes file. On other platforms, it simply installs the required packages. It will also create an SQL file, /etc/mysql/grants.sql, that will be used to set up grants for the root, repl and debian-sys-maint users.\n\nOn EC2 nodes,\n\n include_recipe \"mysql::server_ec2\"\n\nWhen the ec2_path doesn't exist we look for a mounted filesystem (eg, EBS) and move the datadir there.\n\nThe client recipe is already included by server and 'default' recipes.\n\nTo make sure that a C compiler and the Ruby development libraries are installed, use the following run list in the node or in a role:\n\n {\n \"run_list\": [\n \"recipe[build-essential]\",\n \"recipe[ruby]\",\n \"recipe[mysql::server]\"\n ]\n }\n\nThe build-essential and ruby cookbooks install the packages in question during the \"execution\" phase of the Chef client run, rather than the compile phase when the MySQL gem is installed. To work around this for now until the build-essential and ruby packages are updated, modify your local copies of the recipes:\n\nIn the Opscode build-essential default recipe:\n\n %w{build-essential binutils-doc}.each do |pkg|\n p = package pkg do\n action :nothing\n end\n p.run_action(:install)\n end\n\nAnd the ruby recipe to have the following:\n\n extra_packages.each do |pkg|\n p = package pkg do\n action :nothing\n end\n p.run_action(:install)\n end\n\nThese cookbooks aren't strict dependencies, and not if the installation process already included installing build-essential and ruby1.8-dev (e.g. RubyGems installation).\n\nFor more infromation on the compile vs execution phase of a Chef run:\n\n http://wiki.opscode.com/display/chef/Anatomy+of+a+Chef+Run\n\n= LICENSE and AUTHOR:\n\nAuthor:: Joshua Timberman ()\nAuthor:: AJ Christensen ()\n\nCopyright:: 2009, Opscode, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/mysql/metadata.rb b/cookbooks/mysql/metadata.rb new file mode 100644 index 0000000..ae347c8 --- /dev/null +++ b/cookbooks/mysql/metadata.rb @@ -0,0 +1,78 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs and configures mysql for client or server" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.24.4" +recipe "mysql", "Includes the client recipe to configure a client" +recipe "mysql::client", "Installs packages required for mysql clients using run_action magic" +recipe "mysql::server", "Installs packages required for mysql servers w/o manual intervention" +recipe "mysql::server_ec2", "Performs EC2-specific mountpoint manipulation" + +%w{ debian ubuntu centos suse fedora redhat}.each do |os| + supports os +end + +depends "openssl" + +attribute "mysql/server_root_password", + :display_name => "MySQL Server Root Password", + :description => "Randomly generated password for the mysqld root user", + :default => "randomly generated" + +attribute "mysql/bind_address", + :display_name => "MySQL Bind Address", + :description => "Address that mysqld should listen on", + :default => "ipaddress" + +attribute "mysql/datadir", + :display_name => "MySQL Data Directory", + :description => "Location of mysql databases", + :default => "/var/lib/mysql" + +attribute "mysql/ec2_path", + :display_name => "MySQL EC2 Path", + :description => "Location of mysql directory on EC2 instance EBS volumes", + :default => "/mnt/mysql" + +attribute "mysql/tunable", + :display_name => "MySQL Tunables", + :description => "Hash of MySQL tunable attributes", + :type => "hash" + +attribute "mysql/tunable/key_buffer", + :display_name => "MySQL Tuntable Key Buffer", + :default => "250M" + +attribute "mysql/tunable/max_connections", + :display_name => "MySQL Tunable Max Connections", + :default => "800" + +attribute "mysql/tunable/wait_timeout", + :display_name => "MySQL Tunable Wait Timeout", + :default => "180" + +attribute "mysql/tunable/net_read_timeout", + :display_name => "MySQL Tunable Net Read Timeout", + :default => "30" + +attribute "mysql/tunable/net_write_timeout", + :display_name => "MySQL Tunable Net Write Timeout", + :default => "30" + +attribute "mysql/tunable/back_log", + :display_name => "MySQL Tunable Back Log", + :default => "128" + +attribute "mysql/tunable/table_cache", + :display_name => "MySQL Tunable Table Cache for MySQL < 5.1.3", + :default => "128" + +attribute "mysql/tunable/table_open_cache", + :display_name => "MySQL Tunable Table Cache for MySQL >= 5.1.3", + :default => "128" + +attribute "mysql/tunable/max_heap_table_size", + :display_name => "MySQL Tunable Max Heap Table Size", + :default => "32M" + diff --git a/cookbooks/mysql/providers/database.rb b/cookbooks/mysql/providers/database.rb new file mode 100644 index 0000000..051eb63 --- /dev/null +++ b/cookbooks/mysql/providers/database.rb @@ -0,0 +1,28 @@ +include Opscode::Mysql::Database + +action :flush_tables_with_read_lock do + Chef::Log.info "mysql_database: flushing tables with read lock" + db.query "flush tables with read lock" + new_resource.updated_by_last_action(true) +end + +action :unflush_tables do + Chef::Log.info "mysql_database: unlocking tables" + db.query "unlock tables" + new_resource.updated_by_last_action(true) +end + +action :create_db do + unless @mysqldb.exists + Chef::Log.info "mysql_database: Creating database #{new_resource.database}" + db.query("create database #{new_resource.database}") + new_resource.updated_by_last_action(true) + end +end + +def load_current_resource + @mysqldb = Chef::Resource::MysqlDatabase.new(new_resource.name) + @mysqldb.database(new_resource.database) + exists = db.list_dbs.include?(new_resource.database) + @mysqldb.exists(exists) +end diff --git a/cookbooks/mysql/recipes/client.rb b/cookbooks/mysql/recipes/client.rb new file mode 100644 index 0000000..91cd3dc --- /dev/null +++ b/cookbooks/mysql/recipes/client.rb @@ -0,0 +1,73 @@ +# +# Cookbook Name:: mysql +# Recipe:: client +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +p = package "mysql-devel" do + package_name value_for_platform( + [ "centos", "redhat", "suse", "fedora"] => { "default" => "mysql-devel" }, + "debian" => { + "5.0" => "libmysqlclient15-dev", + "5.0.1" => "libmysqlclient15-dev", + "5.0.2" => "libmysqlclient15-dev", + "5.0.3" => "libmysqlclient15-dev", + "5.0.4" => "libmysqlclient15-dev", + "5.0.5" => "libmysqlclient15-dev" + }, + "ubuntu" => { + "8.04" => "libmysqlclient15-dev", + "8.10" => "libmysqlclient15-dev", + "9.04" => "libmysqlclient15-dev" + }, + "default" => 'libmysqlclient-dev' + ) + action :nothing +end + +p.run_action(:install) + +o = package "mysql-client" do + package_name value_for_platform( + [ "centos", "redhat", "suse", "fedora"] => { "default" => "mysql" }, + "default" => "mysql-client" + ) + action :nothing +end + +o.run_action(:install) + +r = gem_package "mysql" do + action :nothing +end + +case node[:node] +when "centos", + if node[:platform_version].to_f >= 5.0 + r.run_action(:install) + else + package "ruby-mysql" do + action :install + end + end +when "redhat", "suse", "fedora" + package "ruby-mysql" do + action :install + end + +else + r.run_action(:install) +end diff --git a/cookbooks/mysql/recipes/default.rb b/cookbooks/mysql/recipes/default.rb new file mode 100644 index 0000000..9ff90d6 --- /dev/null +++ b/cookbooks/mysql/recipes/default.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: mysql +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "mysql::client" diff --git a/cookbooks/mysql/recipes/server.rb b/cookbooks/mysql/recipes/server.rb new file mode 100644 index 0000000..0469cde --- /dev/null +++ b/cookbooks/mysql/recipes/server.rb @@ -0,0 +1,119 @@ +# +# Cookbook Name:: mysql +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "mysql::client" + +case node[:platform] +when "debian","ubuntu" + + directory "/var/cache/local/preseeding" do + owner "root" + group "root" + mode 0755 + recursive true + end + + execute "preseed mysql-server" do + command "debconf-set-selections /var/cache/local/preseeding/mysql-server.seed" + action :nothing + end + + template "/var/cache/local/preseeding/mysql-server.seed" do + source "mysql-server.seed.erb" + owner "root" + group "root" + mode "0600" + notifies :run, resources(:execute => "preseed mysql-server"), :immediately + end + template "/etc/mysql/debian.cnf" do + source "debian.cnf.erb" + owner "root" + group "root" + mode "0600" + end +end + +package "mysql-server" do + action :install +end + +service "mysql" do + service_name value_for_platform([ "centos", "redhat", "suse", "fedora" ] => {"default" => "mysqld"}, "default" => "mysql") + if (platform?("ubuntu") && node.platform_version.to_f >= 10.04) + restart_command "restart mysql" + stop_command "stop mysql" + start_command "start mysql" + end + supports :status => true, :restart => true, :reload => true + action :nothing +end + +template value_for_platform([ "centos", "redhat", "suse" , "fedora" ] => {"default" => "/etc/my.cnf"}, "default" => "/etc/mysql/my.cnf") do + source "my.cnf.erb" + owner "root" + group "root" + mode "0644" + notifies :restart, resources(:service => "mysql"), :immediately +end + +unless Chef::Config[:solo] + ruby_block "save node data" do + block do + node.save + end + action :create + end +end + +# set the root password on platforms +# that don't support pre-seeding +unless %w{debian ubuntu}.include?(node[:platform]) + execute "assign-root-password" do + command "/usr/bin/mysqladmin -u root password #{node[:mysql][:server_root_password]}" + action :run + only_if "/usr/bin/mysql -u root -e 'show databases;'" + end +end + +grants_path = value_for_platform( + ["centos", "redhat", "suse", "fedora" ] => { + "default" => "/etc/mysql_grants.sql" + }, + "default" => "/etc/mysql/grants.sql" +) + +begin + t = resources(:template => "/etc/mysql/grants.sql") +rescue + Chef::Log.warn("Could not find previously defined grants.sql resource") + t = template "/etc/mysql/grants.sql" do + path grants_path + source "grants.sql.erb" + owner "root" + group "root" + mode "0600" + action :create + end +end + +execute "mysql-install-privileges" do + command "/usr/bin/mysql -u root #{node[:mysql][:server_root_password].empty? ? '' : '-p' }#{node[:mysql][:server_root_password]} < #{grants_path}" + action :nothing + subscribes :run, resources(:template => "/etc/mysql/grants.sql"), :immediately +end diff --git a/cookbooks/mysql/recipes/server_ec2.rb b/cookbooks/mysql/recipes/server_ec2.rb new file mode 100644 index 0000000..3a5898d --- /dev/null +++ b/cookbooks/mysql/recipes/server_ec2.rb @@ -0,0 +1,49 @@ +# +# Cookbook Name:: mysql +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +if (node[:ec2] && ! FileTest.directory?(node[:mysql][:ec2_path])) + + service "mysql" do + action :stop + end + + execute "install-mysql" do + command "mv #{node[:mysql][:datadir]} #{node[:mysql][:ec2_path]}" + not_if do FileTest.directory?(node[:mysql][:ec2_path]) end + end + + directory node[:mysql][:ec2_path] do + owner "mysql" + group "mysql" + end + + mount node[:mysql][:datadir] do + device node[:mysql][:ec2_path] + fstype "none" + options "bind,rw" + action :mount + end + + service "mysql" do + action :start + end + +end + diff --git a/cookbooks/mysql/resources/database.rb b/cookbooks/mysql/resources/database.rb new file mode 100644 index 0000000..2d4d0f9 --- /dev/null +++ b/cookbooks/mysql/resources/database.rb @@ -0,0 +1,7 @@ +actions :flush_tables_with_read_lock, :unflush_tables, :create_db + +attribute :host, :kind_of => String +attribute :username, :kind_of => String +attribute :password, :kind_of => String +attribute :database, :kind_of => String +attribute :exists, :default => false diff --git a/cookbooks/mysql/templates/centos/my.cnf.erb b/cookbooks/mysql/templates/centos/my.cnf.erb new file mode 100644 index 0000000..1b668a6 --- /dev/null +++ b/cookbooks/mysql/templates/centos/my.cnf.erb @@ -0,0 +1,12 @@ +[mysqld] +datadir=/var/lib/mysql +socket=/var/lib/mysql/mysql.sock +user=mysql +# Default to using old password format for compatibility with mysql 3.x +# clients (those using the mysqlclient10 compatibility package). +old_passwords=1 + +[mysqld_safe] +log-error=/var/log/mysqld.log +pid-file=/var/run/mysqld/mysqld.pid + diff --git a/cookbooks/mysql/templates/debian/my.cnf.erb b/cookbooks/mysql/templates/debian/my.cnf.erb new file mode 100644 index 0000000..9106b2e --- /dev/null +++ b/cookbooks/mysql/templates/debian/my.cnf.erb @@ -0,0 +1,156 @@ +# +# Generated by Chef for <%= node[:hostname] %> +# +# Local modifications will be overwritten. +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# + +# +# * IMPORTANT +# If you make changes to these settings and your system uses apparmor, you may +# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld. +# + +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = <%= node[:mysql][:datadir] %> +tmpdir = /tmp +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = <%= node[:mysql][:bind_address] %> +# +# * Fine Tuning +# +key_buffer = <%= node[:mysql][:tunable][:key_buffer] %> +max_allowed_packet = 16M +thread_stack = 128K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +wait_timeout = <%= node[:mysql][:tunable][:wait_timeout] %> +net_read_timeout = <%= node[:mysql][:tunable][:net_read_timeout] %> +net_write_timeout = <%= node[:mysql][:tunable][:net_write_timeout] %> +back_log = <%= node[:mysql][:tunable][:back_log] %> +table_cache = <%= node[:mysql][:tunable][:table_cache] %> +max_heap_table_size = <%= node[:mysql][:tunable][:max_heap_table_size] %> + +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +#log = /var/log/mysql/mysql.log +# +# Error logging goes to syslog. This is a Debian improvement :) +# +# Here you can see queries with especially long duration +log_slow_queries = /var/log/mysql/mysql-slow.log +long_query_time = 2 +log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * BerkeleyDB +# +# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12. +skip-bdb +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * NDB Cluster +# +# See /usr/share/doc/mysql-server-*/README.Debian for more information. +# +# The following configuration is read by the NDB Data Nodes (ndbd processes) +# not from the NDB Management Nodes (ndb_mgmd processes). +# +# [MYSQL_CLUSTER] +# ndb-connectstring=127.0.0.1 +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +<%= "!includedir /etc/mysql/conf.d/" unless ["centos", "redhat","suse"].include?(node[:platform]) %> diff --git a/cookbooks/mysql/templates/default/debian.cnf.erb b/cookbooks/mysql/templates/default/debian.cnf.erb new file mode 100644 index 0000000..003dbb5 --- /dev/null +++ b/cookbooks/mysql/templates/default/debian.cnf.erb @@ -0,0 +1,11 @@ +[client] +host = localhost +user = debian-sys-maint +password = <%= node[:mysql][:server_debian_password] %> +socket = /var/run/mysqld/mysqld.sock +[mysql_upgrade] +host = localhost +user = debian-sys-maint +password = <%= node[:mysql][:server_debian_password] %> +socket = /var/run/mysqld/mysqld.sock +basedir = /usr diff --git a/cookbooks/mysql/templates/default/grants.sql.erb b/cookbooks/mysql/templates/default/grants.sql.erb new file mode 100644 index 0000000..f0c12bb --- /dev/null +++ b/cookbooks/mysql/templates/default/grants.sql.erb @@ -0,0 +1,12 @@ +# Generated by Chef for <%= node[:fqdn] %>. +# Local modifications will be overwritten. + +<% case node[:platform] -%> +<% when "debian","ubuntu" -%> +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '<%= node[:mysql][:server_debian_password] %>' WITH GRANT OPTION; +<% end -%> +# Grant replication for a slave user. +GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%' identified by '<%= node[:mysql][:server_repl_password] %>'; + +# Set the server root password. This should be preseeded by the package installation. +SET PASSWORD FOR 'root'@'localhost' = PASSWORD('<%= node[:mysql][:server_root_password] %>'); diff --git a/cookbooks/mysql/templates/default/my.cnf.erb b/cookbooks/mysql/templates/default/my.cnf.erb new file mode 100644 index 0000000..dd42699 --- /dev/null +++ b/cookbooks/mysql/templates/default/my.cnf.erb @@ -0,0 +1,163 @@ +# +# Generated by Chef for <%= node[:hostname] %> +# +# Local modifications will be overwritten. +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# + +# +# * IMPORTANT +# If you make changes to these settings and your system uses apparmor, you may +# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld. +# + +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = <%= node[:mysql][:datadir] %> +tmpdir = /tmp +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = <%= node[:mysql][:bind_address] %> +# +# * Fine Tuning +# +key_buffer = <%= node[:mysql][:tunable][:key_buffer] %> +max_allowed_packet = 16M +thread_stack = 128K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +wait_timeout = <%= node[:mysql][:tunable][:wait_timeout] %> +net_read_timeout = <%= node[:mysql][:tunable][:net_read_timeout] %> +net_write_timeout = <%= node[:mysql][:tunable][:net_write_timeout] %> +back_log = <%= node[:mysql][:tunable][:back_log] %> +table_cache = <%= node[:mysql][:tunable][:table_cache] %> +max_heap_table_size = <%= node[:mysql][:tunable][:max_heap_table_size] %> + +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +#log = /var/log/mysql/mysql.log +# +# Error logging goes to syslog. This is a Debian improvement :) +# +# Here you can see queries with especially long duration +log_slow_queries = /var/log/mysql/mysql-slow.log +long_query_time = 2 +log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * BerkeleyDB +# +# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12. +skip-bdb +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb +# +# * Federated +# +# The FEDERATED storage engine is disabled since 5.0.67 by default in the .cnf files +# shipped with MySQL distributions (my-huge.cnf, my-medium.cnf, and so forth). +# +skip-federated +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * NDB Cluster +# +# See /usr/share/doc/mysql-server-*/README.Debian for more information. +# +# The following configuration is read by the NDB Data Nodes (ndbd processes) +# not from the NDB Management Nodes (ndb_mgmd processes). +# +# [MYSQL_CLUSTER] +# ndb-connectstring=127.0.0.1 +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +<%= "!includedir /etc/mysql/conf.d/" unless ["centos", "redhat","suse"].include?(node[:platform]) %> diff --git a/cookbooks/mysql/templates/default/mysql-server.seed.erb b/cookbooks/mysql/templates/default/mysql-server.seed.erb new file mode 100644 index 0000000..a9432b8 --- /dev/null +++ b/cookbooks/mysql/templates/default/mysql-server.seed.erb @@ -0,0 +1,10 @@ +mysql-server-5.0 mysql-server/root_password_again select <%= node[:mysql][:server_root_password] %> +mysql-server-5.0 mysql-server/root_password select <%= node[:mysql][:server_root_password] %> +mysql-server-5.0 mysql-server-5.0/really_downgrade boolean false +mysql-server-5.0 mysql-server-5.0/need_sarge_compat boolean false +mysql-server-5.0 mysql-server-5.0/start_on_boot boolean true +mysql-server-5.0 mysql-server/error_setting_password boolean false +mysql-server-5.0 mysql-server-5.0/nis_warning note +mysql-server-5.0 mysql-server-5.0/postrm_remove_databases boolean false +mysql-server-5.0 mysql-server/password_mismatch boolean false +mysql-server-5.0 mysql-server-5.0/need_sarge_compat_done boolean true diff --git a/cookbooks/mysql/templates/default/port_mysql.erb b/cookbooks/mysql/templates/default/port_mysql.erb new file mode 100644 index 0000000..55a2ffc --- /dev/null +++ b/cookbooks/mysql/templates/default/port_mysql.erb @@ -0,0 +1,3 @@ +# MySQL +-A FWR -p tcp -m tcp --dport 3306 -j ACCEPT +-A FWR -p udp -m udp --dport 3306 -j ACCEPT \ No newline at end of file diff --git a/cookbooks/mysql/templates/redhat/my.cnf.erb b/cookbooks/mysql/templates/redhat/my.cnf.erb new file mode 100644 index 0000000..1b668a6 --- /dev/null +++ b/cookbooks/mysql/templates/redhat/my.cnf.erb @@ -0,0 +1,12 @@ +[mysqld] +datadir=/var/lib/mysql +socket=/var/lib/mysql/mysql.sock +user=mysql +# Default to using old password format for compatibility with mysql 3.x +# clients (those using the mysqlclient10 compatibility package). +old_passwords=1 + +[mysqld_safe] +log-error=/var/log/mysqld.log +pid-file=/var/run/mysqld/mysqld.pid + diff --git a/cookbooks/mysql/templates/ubuntu-10.04/my.cnf.erb b/cookbooks/mysql/templates/ubuntu-10.04/my.cnf.erb new file mode 100644 index 0000000..21271f9 --- /dev/null +++ b/cookbooks/mysql/templates/ubuntu-10.04/my.cnf.erb @@ -0,0 +1,158 @@ +# +# Generated by Chef for <%= node[:hostname] %> +# +# Local modifications will be overwritten. +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# + +# +# * IMPORTANT +# If you make changes to these settings and your system uses apparmor, you may +# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld. +# + +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = <%= node[:mysql][:datadir] %> +tmpdir = /tmp +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = <%= node[:mysql][:bind_address] %> +# +# * Fine Tuning +# +key_buffer = <%= node[:mysql][:tunable][:key_buffer] %> +max_allowed_packet = <%= node[:mysql][:tunable][:max_allowed_packet] %> +thread_stack = <%= node[:mysql][:tunable][:thread_stack] %> +thread_cache_size = <%= node[:mysql][:tunable][:thread_cache_size] %> +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = <%= node[:mysql][:tunable][:myisam_recover] %> +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +table_open_cache = <%= node[:mysql][:tunable][:table_open_cache] %> +thread_concurrency = <%= node[:mysql][:tunable][:thread_concurrency] %> +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +wait_timeout = <%= node[:mysql][:tunable][:wait_timeout] %> +net_read_timeout = <%= node[:mysql][:tunable][:net_read_timeout] %> +net_write_timeout = <%= node[:mysql][:tunable][:net_write_timeout] %> +back_log = <%= node[:mysql][:tunable][:back_log] %> +max_heap_table_size = <%= node[:mysql][:tunable][:max_heap_table_size] %> + +# +# * Query Cache Configuration +# +query_cache_limit = <%= node[:mysql][:tunable][:query_cache_limit] %> +query_cache_size = <%= node[:mysql][:tunable][:query_cache_size] %> +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +#log = /var/log/mysql/mysql.log +# +# Error logging goes to syslog. This is a Debian improvement :) +# +# Here you can see queries with especially long duration +log_slow_queries = <%= node[:mysql][:tunable][:log_slow_queries] %> +long_query_time = <%= node[:mysql][:tunable][:long_query_time] %> +log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb +innodb_buffer_pool_size = <%= node[:mysql][:tunable][:innodb_buffer_pool_size] %> +# +# * Federated +# +# The FEDERATED storage engine is disabled since 5.0.67 by default in the .cnf files +# shipped with MySQL distributions (my-huge.cnf, my-medium.cnf, and so forth). +# +skip-federated +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * NDB Cluster +# +# See /usr/share/doc/mysql-server-*/README.Debian for more information. +# +# The following configuration is read by the NDB Data Nodes (ndbd processes) +# not from the NDB Management Nodes (ndb_mgmd processes). +# +# [MYSQL_CLUSTER] +# ndb-connectstring=127.0.0.1 +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +<%= "!includedir /etc/mysql/conf.d/" unless ["centos", "redhat","suse", "fedora"].include?(node[:platform]) %> diff --git a/cookbooks/mysql/templates/ubuntu-10.10/my.cnf.erb b/cookbooks/mysql/templates/ubuntu-10.10/my.cnf.erb new file mode 100644 index 0000000..21271f9 --- /dev/null +++ b/cookbooks/mysql/templates/ubuntu-10.10/my.cnf.erb @@ -0,0 +1,158 @@ +# +# Generated by Chef for <%= node[:hostname] %> +# +# Local modifications will be overwritten. +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# + +# +# * IMPORTANT +# If you make changes to these settings and your system uses apparmor, you may +# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld. +# + +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = <%= node[:mysql][:datadir] %> +tmpdir = /tmp +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = <%= node[:mysql][:bind_address] %> +# +# * Fine Tuning +# +key_buffer = <%= node[:mysql][:tunable][:key_buffer] %> +max_allowed_packet = <%= node[:mysql][:tunable][:max_allowed_packet] %> +thread_stack = <%= node[:mysql][:tunable][:thread_stack] %> +thread_cache_size = <%= node[:mysql][:tunable][:thread_cache_size] %> +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = <%= node[:mysql][:tunable][:myisam_recover] %> +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +table_open_cache = <%= node[:mysql][:tunable][:table_open_cache] %> +thread_concurrency = <%= node[:mysql][:tunable][:thread_concurrency] %> +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +wait_timeout = <%= node[:mysql][:tunable][:wait_timeout] %> +net_read_timeout = <%= node[:mysql][:tunable][:net_read_timeout] %> +net_write_timeout = <%= node[:mysql][:tunable][:net_write_timeout] %> +back_log = <%= node[:mysql][:tunable][:back_log] %> +max_heap_table_size = <%= node[:mysql][:tunable][:max_heap_table_size] %> + +# +# * Query Cache Configuration +# +query_cache_limit = <%= node[:mysql][:tunable][:query_cache_limit] %> +query_cache_size = <%= node[:mysql][:tunable][:query_cache_size] %> +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +#log = /var/log/mysql/mysql.log +# +# Error logging goes to syslog. This is a Debian improvement :) +# +# Here you can see queries with especially long duration +log_slow_queries = <%= node[:mysql][:tunable][:log_slow_queries] %> +long_query_time = <%= node[:mysql][:tunable][:long_query_time] %> +log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb +innodb_buffer_pool_size = <%= node[:mysql][:tunable][:innodb_buffer_pool_size] %> +# +# * Federated +# +# The FEDERATED storage engine is disabled since 5.0.67 by default in the .cnf files +# shipped with MySQL distributions (my-huge.cnf, my-medium.cnf, and so forth). +# +skip-federated +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * NDB Cluster +# +# See /usr/share/doc/mysql-server-*/README.Debian for more information. +# +# The following configuration is read by the NDB Data Nodes (ndbd processes) +# not from the NDB Management Nodes (ndb_mgmd processes). +# +# [MYSQL_CLUSTER] +# ndb-connectstring=127.0.0.1 +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +<%= "!includedir /etc/mysql/conf.d/" unless ["centos", "redhat","suse", "fedora"].include?(node[:platform]) %> diff --git a/cookbooks/mysql/templates/ubuntu-8.04/my.cnf.erb b/cookbooks/mysql/templates/ubuntu-8.04/my.cnf.erb new file mode 100644 index 0000000..ee987c9 --- /dev/null +++ b/cookbooks/mysql/templates/ubuntu-8.04/my.cnf.erb @@ -0,0 +1,156 @@ +# +# Generated by Chef for <%= node[:hostname] %> +# +# Local modifications will be overwritten. +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# + +# +# * IMPORTANT +# If you make changes to these settings and your system uses apparmor, you may +# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld. +# + +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = <%= node[:mysql][:datadir] %> +tmpdir = /tmp +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = <%= node[:mysql][:bind_address] %> +# +# * Fine Tuning +# +key_buffer = <%= node[:mysql][:tunable][:key_buffer] %> +max_allowed_packet = 16M +thread_stack = 128K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +wait_timeout = <%= node[:mysql][:tunable][:wait_timeout] %> +net_read_timeout = <%= node[:mysql][:tunable][:net_read_timeout] %> +net_write_timeout = <%= node[:mysql][:tunable][:net_write_timeout] %> +back_log = <%= node[:mysql][:tunable][:back_log] %> +table_cache = <%= node[:mysql][:tunable][:table_cache] %> +max_heap_table_size = <%= node[:mysql][:tunable][:max_heap_table_size] %> + +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +#log = /var/log/mysql/mysql.log +# +# Error logging goes to syslog. This is a Debian improvement :) +# +# Here you can see queries with especially long duration +log_slow_queries = /var/log/mysql/mysql-slow.log +long_query_time = 2 +log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * BerkeleyDB +# +# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12. +skip-bdb +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * NDB Cluster +# +# See /usr/share/doc/mysql-server-*/README.Debian for more information. +# +# The following configuration is read by the NDB Data Nodes (ndbd processes) +# not from the NDB Management Nodes (ndb_mgmd processes). +# +# [MYSQL_CLUSTER] +# ndb-connectstring=127.0.0.1 +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +<%= "!includedir /etc/mysql/conf.d/" unless ["centos", "redhat","suse", "fedora"].include?(node[:platform]) %> diff --git a/cookbooks/mysql/templates/ubuntu-9.10/my.cnf.erb b/cookbooks/mysql/templates/ubuntu-9.10/my.cnf.erb new file mode 100644 index 0000000..ee25a26 --- /dev/null +++ b/cookbooks/mysql/templates/ubuntu-9.10/my.cnf.erb @@ -0,0 +1,158 @@ +# +# Generated by Chef for <%= node[:hostname] %> +# +# Local modifications will be overwritten. +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# + +# +# * IMPORTANT +# If you make changes to these settings and your system uses apparmor, you may +# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld. +# + +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = <%= node[:mysql][:datadir] %> +tmpdir = /tmp +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = <%= node[:mysql][:bind_address] %> +# +# * Fine Tuning +# +key_buffer = <%= node[:mysql][:tunable][:key_buffer] %> +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +max_connections = <%= node[:mysql][:tunable][:max_connections] %> +wait_timeout = <%= node[:mysql][:tunable][:wait_timeout] %> +net_read_timeout = <%= node[:mysql][:tunable][:net_read_timeout] %> +net_write_timeout = <%= node[:mysql][:tunable][:net_write_timeout] %> +back_log = <%= node[:mysql][:tunable][:back_log] %> +table_cache = <%= node[:mysql][:tunable][:table_cache] %> +max_heap_table_size = <%= node[:mysql][:tunable][:max_heap_table_size] %> + +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +#log = /var/log/mysql/mysql.log +# +# Error logging goes to syslog. This is a Debian improvement :) +# +# Here you can see queries with especially long duration +log_slow_queries = /var/log/mysql/mysql-slow.log +long_query_time = 2 +log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb +# +# * Federated +# +# The FEDERATED storage engine is disabled since 5.0.67 by default in the .cnf files +# shipped with MySQL distributions (my-huge.cnf, my-medium.cnf, and so forth). +# +skip-federated +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * NDB Cluster +# +# See /usr/share/doc/mysql-server-*/README.Debian for more information. +# +# The following configuration is read by the NDB Data Nodes (ndbd processes) +# not from the NDB Management Nodes (ndb_mgmd processes). +# +# [MYSQL_CLUSTER] +# ndb-connectstring=127.0.0.1 +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +<%= "!includedir /etc/mysql/conf.d/" unless ["centos", "redhat","suse", "fedora"].include?(node[:platform]) %> diff --git a/cookbooks/nova/README.rdoc b/cookbooks/nova/README.rdoc new file mode 100644 index 0000000..8d77480 --- /dev/null +++ b/cookbooks/nova/README.rdoc @@ -0,0 +1,8 @@ += DESCRIPTION: + += REQUIREMENTS: + += ATTRIBUTES: + += USAGE: + diff --git a/cookbooks/nova/attributes/default.rb b/cookbooks/nova/attributes/default.rb new file mode 100644 index 0000000..bfc9806 --- /dev/null +++ b/cookbooks/nova/attributes/default.rb @@ -0,0 +1,46 @@ +# +# Cookbook Name:: nova +# Attributes:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +::Chef::Node.send(:include, Opscode::OpenSSL::Password) + +default[:nova][:hostname] = "nova" +default[:nova][:install_type] = "binary" +default[:nova][:compute_connection_type] = "qemu" +default[:nova][:creds][:user] = "nova" +default[:nova][:creds][:group] = "nogroup" +default[:nova][:creds][:dir] = "/var/lib/nova" +default[:nova][:my_ip] = ipaddress +default[:nova][:public_interface] = "eth1" +default[:nova][:vlan_interface] = "eth1" +default[:nova][:mysql] = true +default[:nova][:images] = [] +default[:nova][:network] = "10.0.0.0/24 8 32" +default[:nova][:floating_range] = "10.128.0.0/24" +default[:nova][:user] = "admin" +default[:nova][:project] = "admin" +set_unless[:nova][:access_key] = secure_password +set_unless[:nova][:secret_key] = secure_password +default[:nova][:default_project] = "admin" +default[:nova][:network_manager] = "nova.network.manager.VlanManager" +#default[:nova][:flat_interface] = "tun0" +default[:nova][:flat_network_dhcp_start] = "10.0.0.2" +default[:nova][:image_service] = "nova.image.s3.S3ImageService" +default[:nova][:glance_host] = "localhost" +default[:nova][:glance_port] = "9292" +default[:nova][:lock_path] = "/var/lib/nova/tmp" diff --git a/cookbooks/nova/attributes/mysql.rb b/cookbooks/nova/attributes/mysql.rb new file mode 100644 index 0000000..bb62b51 --- /dev/null +++ b/cookbooks/nova/attributes/mysql.rb @@ -0,0 +1,24 @@ +# +# Cookbook Name:: nova +# Attributes:: mysql +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +::Chef::Node.send(:include, Opscode::OpenSSL::Password) + +set_unless[:nova][:db][:password] = secure_password +default[:nova][:db][:user] = "nova" +default[:nova][:db][:database] = "nova" +default[:nova][:db][:sql_idle_timeout] = "60" diff --git a/cookbooks/nova/attributes/rabbit.rb b/cookbooks/nova/attributes/rabbit.rb new file mode 100644 index 0000000..833059d --- /dev/null +++ b/cookbooks/nova/attributes/rabbit.rb @@ -0,0 +1,23 @@ +# +# Cookbook Name:: nova +# Attributes:: mysql +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +::Chef::Node.send(:include, Opscode::OpenSSL::Password) + +set_unless[:nova][:rabbit][:password] = secure_password +default[:nova][:rabbit][:user] = "nova" +default[:nova][:rabbit][:vhost] = "/nova" diff --git a/cookbooks/nova/attributes/source.rb b/cookbooks/nova/attributes/source.rb new file mode 100644 index 0000000..566ab1c --- /dev/null +++ b/cookbooks/nova/attributes/source.rb @@ -0,0 +1,6 @@ +default[:nova][:bzr_branch] = "lp:nova" +default[:nova][:services_base_dir] = "/srv" +default[:nova][:nova_base_dir] = File.join(node[:nova][:services_base_dir], "nova") +default[:nova][:local_branch_name] = "running" +default[:nova][:local_branch_dir] = File.join(node[:nova][:nova_base_dir], node[:nova][:local_branch_name]) + diff --git a/cookbooks/nova/definitions/nova_package.rb b/cookbooks/nova/definitions/nova_package.rb new file mode 100644 index 0000000..2022813 --- /dev/null +++ b/cookbooks/nova/definitions/nova_package.rb @@ -0,0 +1,21 @@ +define :nova_package do + + nova_name="nova-#{params[:name]}" + package nova_name do + options "--force-yes" + action :install + end + + service nova_name do + if (platform?("ubuntu") && node.platform_version.to_f >= 10.04) + restart_command "restart #{nova_name}" + stop_command "stop #{nova_name}" + start_command "start #{nova_name}" + status_command "status #{nova_name} | cut -d' ' -f2 | cut -d'/' -f1 | grep start" + end + supports :status => true, :restart => true + action :start + subscribes :restart, resources(:template => "/etc/nova/nova.conf") + end + +end diff --git a/cookbooks/nova/files/default/base.ldif b/cookbooks/nova/files/default/base.ldif new file mode 100644 index 0000000..1f4a8c1 --- /dev/null +++ b/cookbooks/nova/files/default/base.ldif @@ -0,0 +1,68 @@ +# This is the root of the directory tree +dn: dc=example,dc=com +description: Example.Com, your trusted non-existent corporation. +dc: example +o: Example.Com +objectClass: top +objectClass: dcObject +objectClass: organization + +# Subtree for users +dn: ou=Users,dc=example,dc=com +ou: Users +description: Users +objectClass: organizationalUnit + +# Subtree for groups +dn: ou=Groups,dc=example,dc=com +ou: Groups +description: Groups +objectClass: organizationalUnit + +# Subtree for system accounts +dn: ou=System,dc=example,dc=com +ou: System +description: Special accounts used by software applications. +objectClass: organizationalUnit + +# Special Account for Authentication: +dn: uid=authenticate,ou=System,dc=example,dc=com +uid: authenticate +ou: System +description: Special account for authenticating users +userPassword: {MD5}TLnIqASP0CKUR3/LGkEZGg== +objectClass: account +objectClass: simpleSecurityObject + +# create the sysadmin entry + +dn: cn=developers,ou=Groups,dc=example,dc=com +objectclass: groupOfNames +cn: developers +description: IT admin group +member: uid=admin,ou=Users,dc=example,dc=com + +dn: cn=sysadmins,ou=Groups,dc=example,dc=com +objectclass: groupOfNames +cn: sysadmins +description: IT admin group +member: uid=admin,ou=Users,dc=example,dc=com + +dn: cn=netadmins,ou=Groups,dc=example,dc=com +objectclass: groupOfNames +cn: netadmins +description: Network admin group +member: uid=admin,ou=Users,dc=example,dc=com + +dn: cn=cloudadmins,ou=Groups,dc=example,dc=com +objectclass: groupOfNames +cn: cloudadmins +description: Cloud admin group +member: uid=admin,ou=Users,dc=example,dc=com + +dn: cn=itsec,ou=Groups,dc=example,dc=com +objectclass: groupOfNames +cn: itsec +description: IT security users group +member: uid=admin,ou=Users,dc=example,dc=com + diff --git a/cookbooks/nova/files/default/default-rsync b/cookbooks/nova/files/default/default-rsync new file mode 100644 index 0000000..039f393 --- /dev/null +++ b/cookbooks/nova/files/default/default-rsync @@ -0,0 +1,42 @@ +# defaults file for rsync daemon mode + +# start rsync in daemon mode from init.d script? +# only allowed values are "true", "false", and "inetd" +# Use "inetd" if you want to start the rsyncd from inetd, +# all this does is prevent the init.d script from printing a message +# about not starting rsyncd (you still need to modify inetd's config yourself). +RSYNC_ENABLE=true + +# which file should be used as the configuration file for rsync. +# This file is used instead of the default /etc/rsyncd.conf +# Warning: This option has no effect if the daemon is accessed +# using a remote shell. When using a different file for +# rsync you might want to symlink /etc/rsyncd.conf to +# that file. +# RSYNC_CONFIG_FILE= + +# what extra options to give rsync --daemon? +# that excludes the --daemon; that's always done in the init.d script +# Possibilities are: +# --address=123.45.67.89 (bind to a specific IP address) +# --port=8730 (bind to specified port; default 873) +RSYNC_OPTS='' + +# run rsyncd at a nice level? +# the rsync daemon can impact performance due to much I/O and CPU usage, +# so you may want to run it at a nicer priority than the default priority. +# Allowed values are 0 - 19 inclusive; 10 is a reasonable value. +RSYNC_NICE='' + +# run rsyncd with ionice? +# "ionice" does for IO load what "nice" does for CPU load. +# As rsync is often used for backups which aren't all that time-critical, +# reducing the rsync IO priority will benefit the rest of the system. +# See the manpage for ionice for allowed options. +# -c3 is recommended, this will run rsync IO at "idle" priority. Uncomment +# the next line to activate this. +# RSYNC_IONICE='-c3' + +# Don't forget to create an appropriate config file, +# else the daemon will not start. + diff --git a/cookbooks/nova/files/default/iscsidev.sh b/cookbooks/nova/files/default/iscsidev.sh new file mode 100755 index 0000000..6f5b572 --- /dev/null +++ b/cookbooks/nova/files/default/iscsidev.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# NOTE(vish): This script helps udev create common names for discovered iscsi +# volumes under /dev/iscsi. To use it, create /dev/iscsi and add +# a file to /etc/udev/rules.d like so: +# mkdir /dev/iscsi +# echo 'KERNEL=="sd*", BUS=="scsi", PROGRAM="/path/to/iscsidev.sh +# %b",SYMLINK+="iscsi/%c%n"' > /etc/udev/rules.d/55-openiscsi.rules + +BUS=${1} +HOST=${BUS%%:*} + +if [ ! -e /sys/class/iscsi_host ]; then + exit 1 +fi + +file="/sys/class/iscsi_host/host${HOST}/device/session*/iscsi_session*/session*/targetname" + +target_name=$(cat ${file}) + +if [ -z "${target_name}" ]; then + exit 1 +fi + +echo "${target_name##*:}" diff --git a/cookbooks/nova/files/default/nova.schema b/cookbooks/nova/files/default/nova.schema new file mode 100644 index 0000000..8a6f3d1 --- /dev/null +++ b/cookbooks/nova/files/default/nova.schema @@ -0,0 +1,85 @@ +# +# Person object for Nova +# inetorgperson with extra attributes +# Author: Vishvananda Ishaya +# +# + +# using internet experimental oid arc as per BP64 3.1 +objectidentifier novaSchema 1.3.6.1.3.1.666.666 +objectidentifier novaAttrs novaSchema:3 +objectidentifier novaOCs novaSchema:4 + +attributetype ( + novaAttrs:1 + NAME 'accessKey' + DESC 'Key for accessing data' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + ) + +attributetype ( + novaAttrs:2 + NAME 'secretKey' + DESC 'Secret key' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + ) + +attributetype ( + novaAttrs:3 + NAME 'keyFingerprint' + DESC 'Fingerprint of private key' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + ) + +attributetype ( + novaAttrs:4 + NAME 'isAdmin' + DESC 'Is user an administrator?' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE + ) + +attributetype ( + novaAttrs:5 + NAME 'projectManager' + DESC 'Project Managers of a project' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) + +objectClass ( + novaOCs:1 + NAME 'novaUser' + DESC 'access and secret keys' + AUXILIARY + MUST ( uid ) + MAY ( accessKey $ secretKey $ isAdmin ) + ) + +objectClass ( + novaOCs:2 + NAME 'novaKeyPair' + DESC 'Key pair for User' + SUP top + STRUCTURAL + MUST ( cn $ sshPublicKey $ keyFingerprint ) + ) + +objectClass ( + novaOCs:3 + NAME 'novaProject' + DESC 'Container for project' + SUP groupOfNames + STRUCTURAL + MUST ( cn $ projectManager ) + ) + diff --git a/cookbooks/nova/files/default/openssh-lpk_openldap.schema b/cookbooks/nova/files/default/openssh-lpk_openldap.schema new file mode 100644 index 0000000..63d8273 --- /dev/null +++ b/cookbooks/nova/files/default/openssh-lpk_openldap.schema @@ -0,0 +1,20 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey +# Author: Eric AUGE +# +# Based on the proposal of : Mark Ruijter +# + + +# octetString SYNTAX +attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + +# printableString SYNTAX yes|no +objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MAY ( sshPublicKey $ uid ) + ) + diff --git a/cookbooks/nova/metadata.json b/cookbooks/nova/metadata.json new file mode 100644 index 0000000..b5692fe --- /dev/null +++ b/cookbooks/nova/metadata.json @@ -0,0 +1,62 @@ +{ + "platforms": { + + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "oss@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs/Configures nova", + "version": "0.1.0", + "suggestions": { + + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "nova", + "recipes": { + + }, + "dependencies": { + "runit": [ + + ], + "mysql": [ + + ], + "openssl": [ + + ], + "apt": [ + + ], + "python-ldap": [ + + ], + "openldap": [ + + ], + "build-essential": [ + + ], + "rabbitmq": [ + + ] + }, + "long_description": "= DESCRIPTION:\n\n= REQUIREMENTS:\n\n= ATTRIBUTES: \n\n= USAGE:\n\n", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/nova/metadata.rb b/cookbooks/nova/metadata.rb new file mode 100644 index 0000000..0ff54fb --- /dev/null +++ b/cookbooks/nova/metadata.rb @@ -0,0 +1,15 @@ +maintainer "Opscode, Inc." +maintainer_email "oss@opscode.com" +license "Apache 2.0" +description "Installs/Configures nova" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.1" + +depends "apt" +depends "build-essential" +depends "mysql" +depends "openldap" +depends "openssl" +depends "python-ldap" +depends "rabbitmq" +depends "runit" diff --git a/cookbooks/nova/recipes/all.rb b/cookbooks/nova/recipes/all.rb new file mode 100644 index 0000000..9cf8090 --- /dev/null +++ b/cookbooks/nova/recipes/all.rb @@ -0,0 +1,28 @@ +# +# Cookbook Name:: nova +# Recipe:: all +# +# Copyright 2011, Anso Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::mysql" +include_recipe "nova::rabbit" +include_recipe "nova::common" +include_recipe "nova::api" +include_recipe "nova::scheduler" +include_recipe "nova::network" +include_recipe "nova::objectstore" +include_recipe "nova::compute" +include_recipe "nova::volume" diff --git a/cookbooks/nova/recipes/api.rb b/cookbooks/nova/recipes/api.rb new file mode 100644 index 0000000..56a6e5b --- /dev/null +++ b/cookbooks/nova/recipes/api.rb @@ -0,0 +1,21 @@ +# +# Cookbook Name:: nova +# Recipe:: api +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::common" +nova_package("api") diff --git a/cookbooks/nova/recipes/common.rb b/cookbooks/nova/recipes/common.rb new file mode 100644 index 0000000..3a5cbc3 --- /dev/null +++ b/cookbooks/nova/recipes/common.rb @@ -0,0 +1,87 @@ +# +# Cookbook Name:: nova +# Recipe:: common +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "apt" + +package "nova-common" do + options "--force-yes -o Dpkg::Options::=\"--force-confdef\"" + action :install +end + +directory "/etc/nova" do + owner "root" + group "root" + mode 0755 + action :create +end + +env_filter = '' +if node[:app_environment] + env_filter = " AND app_environment:#{node[:app_environment]}" +end + +sql_connection = nil +if node[:nova][:mysql] + Chef::Log.info("Using mysql") + package "python-mysqldb" + mysqls = nil + + unless Chef::Config[:solo] + mysqls = search(:node, "recipes:nova\\:\\:mysql#{env_filter}") + end + if mysqls and mysqls[0] + mysql = mysqls[0] + Chef::Log.info("Mysql server found at #{mysql[:mysql][:bind_address]}") + else + mysql = node + Chef::Log.info("Using local mysql at #{mysql[:mysql][:bind_address]}") + end + sql_connection = "mysql://#{mysql[:nova][:db][:user]}:#{mysql[:nova][:db][:password]}@#{mysql[:mysql][:bind_address]}/#{mysql[:nova][:db][:database]}" +end + +rabbits = nil +unless Chef::Config[:solo] + rabbits = search(:node, "recipes:nova\\:\\:rabbit#{env_filter}") +end +if rabbits and rabbits[0] + rabbit = rabbits[0] + Chef::Log.info("Rabbit server found at #{rabbit[:rabbitmq][:address]}") +else + rabbit = node + Chef::Log.info("Using local rabbit at #{rabbit[:rabbitmq][:address]}") +end + +rabbit_settings = { + :address => rabbit[:rabbitmq][:address], + :port => rabbit[:rabbitmq][:port], + :user => rabbit[:nova][:rabbit][:user], + :password => rabbit[:nova][:rabbit][:password], + :vhost => rabbit[:nova][:rabbit][:vhost] +} + +template "/etc/nova/nova.conf" do + source "nova.conf.erb" + owner "root" + group "root" + mode 0644 + variables( + :sql_connection => sql_connection, + :rabbit_settings => rabbit_settings + ) +end diff --git a/cookbooks/nova/recipes/compute.rb b/cookbooks/nova/recipes/compute.rb new file mode 100644 index 0000000..cf01a9c --- /dev/null +++ b/cookbooks/nova/recipes/compute.rb @@ -0,0 +1,36 @@ +# +# Cookbook Name:: nova +# Recipe:: compute +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::common" +nova_package("compute") + +if node[:nova][:compute_connection_type] == "kvm" + service "libvirt-bin" do + notifies :restart, resources(:service => "nova-compute"), :immediately + end + + execute "modprobe kvm" do + action :run + notifies :restart, resources(:service => "libvirt-bin"), :immediately + end +end + +execute "modprobe nbd" do + action :run +end diff --git a/cookbooks/nova/recipes/creds.rb b/cookbooks/nova/recipes/creds.rb new file mode 100644 index 0000000..05ba86f --- /dev/null +++ b/cookbooks/nova/recipes/creds.rb @@ -0,0 +1,51 @@ +# +# Cookbook Name:: nova +# Recipe:: creds +# +# Copyright 2011, Anso Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +group node[:nova][:creds][:group] do + action :create + group_name node[:nova][:creds][:group] +end + +user node[:nova][:creds][:user] do + group node[:nova][:creds][:group] + comment "Nova User" + home node[:nova][:creds][:dir] + shell "/bin/bash" + not_if "grep #{node[:nova][:creds][:user]} /etc/passwd" +end + +directory node[:nova][:creds][:dir] do + owner node[:nova][:creds][:user] + group node[:nova][:creds][:group] + mode "0700" + action :create +end + +package "unzip" + +execute "nova-manage project zipfile #{node[:nova][:project]} #{node[:nova][:user]} /var/lib/nova/nova.zip" do + user 'nova' + not_if { File.exists?("/var/lib/nova/nova.zip") } +end + +execute "unzip /var/lib/nova/nova.zip -d #{node[:nova][:creds][:dir]}/" do + user node[:nova][:creds][:user] + group node[:nova][:creds][:group] + not_if { File.exists?("#{node[:nova][:creds][:dir]}/novarc") } +end diff --git a/cookbooks/nova/recipes/default.rb b/cookbooks/nova/recipes/default.rb new file mode 100644 index 0000000..2a92eac --- /dev/null +++ b/cookbooks/nova/recipes/default.rb @@ -0,0 +1,22 @@ +# +# Cookbook Name:: nova +# Recipe:: default +# +# Copyright 2010, Opscode, Inc. +# Copyright 2011, Anso Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::all" +include_recipe "nova::setup" diff --git a/cookbooks/nova/recipes/filevg.rb b/cookbooks/nova/recipes/filevg.rb new file mode 100644 index 0000000..c63c664 --- /dev/null +++ b/cookbooks/nova/recipes/filevg.rb @@ -0,0 +1,40 @@ +# +# Cookbook Name:: nova +# Recipe:: vagrant +# +# Copyright 2011, Anso Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +include_recipe "apt" + +%w{lvm2}.each do |pkg| + package pkg do + options "--force-yes" + end +end + +execute "truncate -s 10G /root/nova-volumes" do + user "root" + not_if { File.exists?("/root/nova-volumes/") } +end + +execute "losetup /dev/loop0 /root/nova-volumes" do + user "root" + not_if "losetup -a | grep /dev/loop0 || vgs --noheadings -o name | grep nova-volumes" +end + +execute "vgcreate nova-volumes /dev/loop0" do + user "root" + not_if "vgs --noheadings -o name | grep nova-volumes" +end diff --git a/cookbooks/nova/recipes/hostname.rb b/cookbooks/nova/recipes/hostname.rb new file mode 100644 index 0000000..2d8d5ff --- /dev/null +++ b/cookbooks/nova/recipes/hostname.rb @@ -0,0 +1,41 @@ +# +# Cookbook Name:: nova +# Recipe:: hostname +# +# Copyright 2011, Anso Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +unless Chef::Config[:solo] + node[:nova][:hostname] = node.name +end + +execute "/root/hostname.sh" do + action :nothing +end + +domain = node[:fqdn].split('.')[1..-1].join('.') + +template "/root/hostname.sh" do + source "hostname.erb" + owner "root" + group "root" + mode 0755 + variables( + :ip => node[:nova][:my_ip], + :hostname => node[:nova][:hostname], + :domain => domain + ) + notifies :run, resources(:execute => "/root/hostname.sh"), :immediately +end diff --git a/cookbooks/nova/recipes/mysql.rb b/cookbooks/nova/recipes/mysql.rb new file mode 100644 index 0000000..d646c94 --- /dev/null +++ b/cookbooks/nova/recipes/mysql.rb @@ -0,0 +1,60 @@ +# +# Cookbook Name:: nova +# Recipe:: mysql +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +execute "mysql-install-nova-privileges" do + command "/usr/bin/mysql -u root -p#{node[:mysql][:server_root_password]} < /etc/mysql/nova-grants.sql" + action :nothing +end + +node[:mysql][:bind_address] = node[:nova][:my_ip] + +Chef::Log.info("Mysql recipe included") + +include_recipe "mysql::server" +require 'rubygems' +Gem.clear_paths +require 'mysql' + +template "/etc/mysql/nova-grants.sql" do + path "/etc/mysql/nova-grants.sql" + source "grants.sql.erb" + owner "root" + group "root" + mode "0600" + variables( + :user => node[:nova][:db][:user], + :password => node[:nova][:db][:password], + :database => node[:nova][:db][:database] + ) + notifies :run, resources(:execute => "mysql-install-nova-privileges"), :immediately +end + +execute "create #{node[:nova][:db][:database]} database" do + command "/usr/bin/mysqladmin -u root -p#{node[:mysql][:server_root_password]} create #{node[:nova][:db][:database]}" + not_if do + m = Mysql.new("localhost", "root", node[:mysql][:server_root_password]) + m.list_dbs.include?(node[:nova][:db][:database]) + end +end + +# save data so it can be found by search +unless Chef::Config[:solo] + Chef::Log.info("Saving node data") + node.save +end diff --git a/cookbooks/nova/recipes/network.rb b/cookbooks/nova/recipes/network.rb new file mode 100644 index 0000000..6ca3e0e --- /dev/null +++ b/cookbooks/nova/recipes/network.rb @@ -0,0 +1,34 @@ +# +# Cookbook Name:: nova +# Recipe:: network +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::common" +nova_package("network") + +execute "sysctl -p" do + user "root" + action :nothing +end + +template "/etc/sysctl.conf" do + source "sysctl.conf.erb" + owner "root" + group "root" + mode 0644 + notifies :run, resources(:execute => "sysctl -p"), :immediately +end diff --git a/cookbooks/nova/recipes/objectstore.rb b/cookbooks/nova/recipes/objectstore.rb new file mode 100644 index 0000000..5caf881 --- /dev/null +++ b/cookbooks/nova/recipes/objectstore.rb @@ -0,0 +1,21 @@ +# +# Cookbook Name:: nova +# Recipe:: objectstore +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::common" +nova_package("objectstore") diff --git a/cookbooks/nova/recipes/openldap.rb b/cookbooks/nova/recipes/openldap.rb new file mode 100644 index 0000000..e3e4e31 --- /dev/null +++ b/cookbooks/nova/recipes/openldap.rb @@ -0,0 +1,72 @@ +# +# Cookbook Name:: nova +# Recipe:: openldap +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "openldap::server" +include_recipe "python-ldap" + +## +# Nova includes special templates for this resources, so we override them. +## +r = resources(:template => "#{node[:openldap][:dir]}/slapd.conf") +r.cookbook("nova") + +template "#{node[:openldap][:dir]}/ldap.conf" do + owner "root" + group "root" + source "ldap.conf.erb" + mode "0644" +end + +cookbook_file "/etc/ldap/schema/openssh-lpk_openldap.schema" do + source "openssh-lpk_openldap.schema" + owner "root" + group "root" + mode "0644" +end + +cookbook_file "/etc/ldap/schema/nova.schema" do + source "nova.schema" + owner "root" + group "root" + mode "0644" +end + +cookbook_file "/etc/ldap/base.ldif" do + source "base.ldif" + owner "root" + group "root" + mode "0644" +end + +bash "bootstrap_ldap" do + code <<-EOH + /etc/init.d/slapd stop + rm -rf /var/lib/ldap/* + rm -rf /etc/ldap/slapd.d/* + slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d + cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG + slapadd -v -l /etc/ldap/base.ldif + chown -R openldap:openldap /etc/ldap/slapd.d + chown -R openldap:openldap /var/lib/ldap + /etc/init.d/slapd start + EOH + action :nothing + subscribes :execute, resources(:cookbook_file => "/etc/ldap/base.ldif") +end + diff --git a/cookbooks/nova/recipes/rabbit.rb b/cookbooks/nova/recipes/rabbit.rb new file mode 100644 index 0000000..6154c83 --- /dev/null +++ b/cookbooks/nova/recipes/rabbit.rb @@ -0,0 +1,52 @@ +# +# Cookbook Name:: nova +# Recipe:: rabbit +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +node[:rabbitmq][:address] = node[:nova][:my_ip] + +include_recipe "rabbitmq" + +# add a vhost to the queue +execute "rabbitmqctl add_vhost #{node[:nova][:rabbit][:vhost]}" do + not_if "rabbitmqctl list_vhosts | grep #{node[:nova][:rabbit][:vhost]}" + subscribes :run, resources(:service => "rabbitmq-server"), :immediately + #action :nothing +end + +# create user for the queue +execute "rabbitmqctl add_user #{node[:nova][:rabbit][:user]} #{node[:nova][:rabbit][:password]}" do + not_if "rabbitmqctl list_users | grep #{node[:nova][:rabbit][:user]}" + subscribes :run, resources(:service => "rabbitmq-server"), :immediately + #action :nothing +end + +# grant the mapper user the ability to do anything with the vhost +# the three regex's map to config, write, read permissions respectively +execute "rabbitmqctl set_permissions -p #{node[:nova][:rabbit][:vhost]} #{node[:nova][:rabbit][:user]} \".*\" \".*\" \".*\"" do + not_if "rabbitmqctl list_user_permissions #{node[:nova][:rabbit][:user]} | grep #{node[:nova][:rabbit][:vhost]}" + subscribes :run, resources(:service => "rabbitmq-server"), :immediately + #action :nothing +end + +# save data so it can be found by search +unless Chef::Config[:solo] + Chef::Log.info("Saving node data") + node.save +end + diff --git a/cookbooks/nova/recipes/scheduler.rb b/cookbooks/nova/recipes/scheduler.rb new file mode 100644 index 0000000..71765a0 --- /dev/null +++ b/cookbooks/nova/recipes/scheduler.rb @@ -0,0 +1,21 @@ +# +# Cookbook Name:: nova +# Recipe:: scheduler +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::common" +nova_package("scheduler") diff --git a/cookbooks/nova/recipes/setup.rb b/cookbooks/nova/recipes/setup.rb new file mode 100644 index 0000000..d948525 --- /dev/null +++ b/cookbooks/nova/recipes/setup.rb @@ -0,0 +1,57 @@ +# +# Cookbook Name:: nova +# Recipe:: setup +# +# Copyright 2010, Opscode, Inc. +# Copyright 2011, Anso Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "apt" + +package "euca2ools" +package "curl" + +execute "nova-manage db sync" do + user "nova" +end + +execute "nova-manage user admin #{node[:nova][:user]} #{node[:nova][:access_key]} #{node[:nova][:secret_key]}" do + user 'nova' + not_if "nova-manage user list | grep #{node[:nova][:user]}" +end + +execute "nova-manage project create #{node[:nova][:project]} #{node[:nova][:user]}" do + user 'nova' + not_if "nova-manage project list | grep #{node[:nova][:project]}" +end + +execute "nova-manage network create #{node[:nova][:network]}" do + user 'nova' + not_if { File.exists?("/var/lib/nova/setup") } +end + +execute "nova-manage floating create #{node[:nova][:hostname]} #{node[:nova][:floating_range]}" do + user 'nova' + not_if { File.exists?("/var/lib/nova/setup") } +end + +(node[:nova][:images] or []).each do |image| + execute "curl #{image} | tar xvz -C /var/lib/nova/images" do + user 'nova' + not_if { File.exists?("/var/lib/nova/setup") } + end +end + +execute "touch /var/lib/nova/setup" diff --git a/cookbooks/nova/recipes/source.rb b/cookbooks/nova/recipes/source.rb new file mode 100644 index 0000000..76c2605 --- /dev/null +++ b/cookbooks/nova/recipes/source.rb @@ -0,0 +1,68 @@ +# +# Cookbook Name:: nova +# Recipe:: source +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "runit" + +execute "easy_install virtualenv" + +package "bzr" + +execute "bzr init-repo nova" do + cwd node[:nova][:services_base_dir] + not_if { File.directory?(node[:nova][:nova_base_dir]) } +end + +execute "bzr branch #{node[:nova][:bzr_branch]} #{node[:nova][:local_branch_name]}" do + cwd node[:nova][:nova_base_dir] + not_if { File.directory?(node[:nova][:local_branch_dir]) } +end + +execute "python tools/install_venv.py" do + cwd node[:nova][:local_branch_dir] + not_if { File.exists?(File.join(node[:nova][:local_branch_dir], ".nova-venv/bin/activate")) } +end + +file File.join(node[:nova][:local_branch_dir], "/.nova-venv/lib/python2.6/site-packages/nova.pth") do + content node[:nova][:local_branch_dir] +end + +bash "install nova user" do + code "./tools/with_venv.sh ./bin/nova-manage user admin admin" + cwd node[:nova][:local_branch_dir] + not_if "#{node[:nova][:local_branch_dir]}/tools/with_venv.sh #{node[:nova][:local_branch_dir]}/bin/nova-manage user list | grep admin" +end + + +bash "create project" do + code "./tools/with_venv.sh ./bin/nova-manage project create admin admin" + cwd node[:nova][:local_branch_dir] + not_if "#{node[:nova][:local_branch_dir]}/tools/with_venv.sh #{node[:nova][:local_branch_dir]}/bin/nova-manage project list | grep admin" +end + +bash "create project zipfile" do + code "./tools/with_venv.sh ./bin/nova-manage project zip admin admin" + cwd node[:nova][:local_branch_dir] + not_if { File.exists?(File.join(node[:nova][:local_branch_dir], "nova.zip")) } +end + +execute "unzip nova.zip" do + cwd node[:nova][:local_branch_dir] + not_if { File.exists?(File.join(node[:nova][:local_branch_dir], "novarc")) } +end + diff --git a/cookbooks/nova/recipes/volume.rb b/cookbooks/nova/recipes/volume.rb new file mode 100644 index 0000000..590c930 --- /dev/null +++ b/cookbooks/nova/recipes/volume.rb @@ -0,0 +1,57 @@ +# +# Cookbook Name:: nova +# Recipe:: volume +# +# Copyright 2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "nova::common" +nova_package("volume") + +service "iscsitarget" do + supports :status => true, :restart => true, :reload => true + action :nothing +end + +file "/etc/default/iscsitarget" do + content <<-EOH +ISCSITARGET_ENABLE=true +EOH + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "iscsitarget"), :immediately +end + +directory "/var/lib/nova/scripts" do + owner "nova" + mode 0755 + action :create +end + +cookbook_file "/var/lib/nova/scripts/iscsidev.sh" do + source "iscsidev.sh" + owner "nova" + mode 0644 +end + +file "/etc/udev/rules.d/55-openiscsi.rules" do + content <<-EOH +KERNEL=="sd*", BUS=="scsi", PROGRAM="/var/lib/nova/scripts/iscsidev.sh %b",SYMLINK+="iscsi/%c%n" +EOH + owner "root" + group "root" + mode 0644 +end diff --git a/cookbooks/nova/templates/default/grants.sql.erb b/cookbooks/nova/templates/default/grants.sql.erb new file mode 100644 index 0000000..1b4d8f1 --- /dev/null +++ b/cookbooks/nova/templates/default/grants.sql.erb @@ -0,0 +1,5 @@ +GRANT ALL ON <%= @database %>.* TO '<%= @user %>'@'%' IDENTIFIED BY '<%= @password %>'; + +SET PASSWORD FOR 'root'@'localhost' = PASSWORD('<%= node[:mysql][:server_root_password] %>'); + +FLUSH PRIVILEGES; diff --git a/cookbooks/nova/templates/default/hostname.erb b/cookbooks/nova/templates/default/hostname.erb new file mode 100644 index 0000000..f0cd833 --- /dev/null +++ b/cookbooks/nova/templates/default/hostname.erb @@ -0,0 +1,5 @@ +#!/bin/bash +HOSTNAME="<%= @hostname %>" +hostname $HOSTNAME +echo $HOSTNAME > /etc/hostname +sed -i "s/127.0.1.1.*/<%= @ip %> $HOSTNAME.<%= @domain %> $HOSTNAME/g" /etc/hosts diff --git a/cookbooks/nova/templates/default/ldap.conf.erb b/cookbooks/nova/templates/default/ldap.conf.erb new file mode 100644 index 0000000..c58c497 --- /dev/null +++ b/cookbooks/nova/templates/default/ldap.conf.erb @@ -0,0 +1,7 @@ +# LDAP Client Settings +URI ldap://localhost +BASE dc=example,dc=com +BINDDN cn=Manager,dc=example,dc=com +SIZELIMIT 0 +TIMELIMIT 0 + diff --git a/cookbooks/nova/templates/default/nova.conf.erb b/cookbooks/nova/templates/default/nova.conf.erb new file mode 100644 index 0000000..b4efc31 --- /dev/null +++ b/cookbooks/nova/templates/default/nova.conf.erb @@ -0,0 +1,28 @@ +--dhcpbridge_flagfile=/etc/nova/nova.conf +--dhcpbridge=/usr/bin/nova-dhcpbridge +--logdir=/var/log/nova +--state_path=/var/lib/nova +--verbose +--my_ip=<%= node[:nova][:my_ip] %> +--public_interface=<%= node[:nova][:public_interface] %> +--vlan_interface=<%= node[:nova][:vlan_interface] %> +--iscsi_ip_prefix=<%= node[:nova][:my_ip].split('.')[0..2].join('.') %> +<% if @sql_connection %>--sql_connection=<%= @sql_connection %><% end %> +<% if node[:nova][:libvirt_type] %>--libvirt_type=<%= node[:nova][:libvirt_type] %><% end %> +<% if @rabbit_settings %> +--rabbit_host=<%= @rabbit_settings[:address] %> +--rabbit_port=<%= @rabbit_settings[:port] %> +--rabbit_userid=<%= @rabbit_settings[:user] %> +--rabbit_password=<%= @rabbit_settings[:password] %> +--rabbit_virtual_host=<%= @rabbit_settings[:vhost] %> +<% end %> +--network_manager=<%= node[:nova][:network_manager] %> +--default_project=<%= node[:nova][:default_project] %> +<% if node[:nova][:flat_network_bridge] %>--flat_network_bridge=<%= node[:nova][:flat_network_bridge] %><% end %> +<% if node[:nova][:flat_interface] %>--flat_interface=<%= node[:nova][:flat_interface] %><% end %> +<% if node[:nova][:flat_network_dhcp_start] %>--flat_network_dhcp_start=<%= node[:nova][:flat_network_dhcp_start] %><% end %> +--glance_host=<%= node[:nova][:glance_host] %> +--glance_port=<%= node[:nova][:glance_port] %> +--image_service=<%= node[:nova][:image_service] %> +--lock_path=<%= node[:nova][:lock_path] %> +--sql_idle_timeout=<%= node[:nova][:db][:sql_idle_timeout] %> diff --git a/cookbooks/nova/templates/default/slapd.conf.erb b/cookbooks/nova/templates/default/slapd.conf.erb new file mode 100644 index 0000000..eac5fed --- /dev/null +++ b/cookbooks/nova/templates/default/slapd.conf.erb @@ -0,0 +1,36 @@ +# slapd.conf - Configuration file for LDAP SLAPD +########## +# Basics # +########## +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/openssh-lpk_openldap.schema +include /etc/ldap/schema/nova.schema +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args +loglevel none +modulepath /usr/lib/ldap +# modulepath /usr/local/libexec/openldap +moduleload back_hdb +########################## +# Database Configuration # +########################## +database hdb +suffix "dc=example,dc=com" +rootdn "cn=Manager,dc=example,dc=com" +rootpw changeme +directory /var/lib/ldap +# directory /usr/local/var/openldap-data +index objectClass,cn eq +######## +# ACLs # +######## +access to attrs=userPassword + by anonymous auth + by self write + by * none +access to * + by self write + by * none + diff --git a/cookbooks/nova/templates/default/sv-nova-api-log-run.erb b/cookbooks/nova/templates/default/sv-nova-api-log-run.erb new file mode 100644 index 0000000..9ec4380 --- /dev/null +++ b/cookbooks/nova/templates/default/sv-nova-api-log-run.erb @@ -0,0 +1,3 @@ +#!/bin/sh +exec svlogd -tt ./main + diff --git a/cookbooks/nova/templates/default/sv-nova-api-run.erb b/cookbooks/nova/templates/default/sv-nova-api-run.erb new file mode 100644 index 0000000..a602324 --- /dev/null +++ b/cookbooks/nova/templates/default/sv-nova-api-run.erb @@ -0,0 +1,7 @@ +#!/bin/sh + +cd <%= File.join(node[:nova][:local_branch_dir]) %> +source <%= File.join(node[:nova][:local_branch_dir], "novarc") %> +exec 2>&1 +exec <%= File.join(node[:nova][:local_branch_dir], "tools", "with_venv.sh") %> <%= File.join(node[:nova][:local_branch_dir], "bin", "nova-api") %> --verbose --nodaemonize + diff --git a/cookbooks/nova/templates/default/sv-nova-compute-log-run.erb b/cookbooks/nova/templates/default/sv-nova-compute-log-run.erb new file mode 100644 index 0000000..9ec4380 --- /dev/null +++ b/cookbooks/nova/templates/default/sv-nova-compute-log-run.erb @@ -0,0 +1,3 @@ +#!/bin/sh +exec svlogd -tt ./main + diff --git a/cookbooks/nova/templates/default/sv-nova-compute-run.erb b/cookbooks/nova/templates/default/sv-nova-compute-run.erb new file mode 100644 index 0000000..ec626f8 --- /dev/null +++ b/cookbooks/nova/templates/default/sv-nova-compute-run.erb @@ -0,0 +1,9 @@ +#!/bin/sh + +cd <%= File.join(node[:nova][:local_branch_dir]) %> +source <%= File.join(node[:nova][:local_branch_dir], "novarc") %> +exec 2>&1 +exec <%= File.join(node[:nova][:local_branch_dir], "tools", "with_venv.sh") %> <%= File.join(node[:nova][:local_branch_dir], "bin", "nova-compute") %> --verbose --nodaemon --connection_type=<%= node[:nova][:compute_connection_type] %> + + + diff --git a/cookbooks/nova/templates/default/sv-nova-objectstore-log-run.erb b/cookbooks/nova/templates/default/sv-nova-objectstore-log-run.erb new file mode 100644 index 0000000..a79a518 --- /dev/null +++ b/cookbooks/nova/templates/default/sv-nova-objectstore-log-run.erb @@ -0,0 +1,2 @@ +#!/bin/sh +exec svlogd -tt ./main diff --git a/cookbooks/nova/templates/default/sv-nova-objectstore-run.erb b/cookbooks/nova/templates/default/sv-nova-objectstore-run.erb new file mode 100644 index 0000000..8e1bec0 --- /dev/null +++ b/cookbooks/nova/templates/default/sv-nova-objectstore-run.erb @@ -0,0 +1,8 @@ +#!/bin/sh + +cd <%= File.join(node[:nova][:local_branch_dir]) %> +source <%= File.join(node[:nova][:local_branch_dir], "novarc") %> +exec 2>&1 +exec <%= File.join(node[:nova][:local_branch_dir], "tools", "with_venv.sh") %> <%= File.join(node[:nova][:local_branch_dir], "bin", "nova-objectstore") %> --verbose --nodaemon + + diff --git a/cookbooks/nova/templates/default/sysctl.conf.erb b/cookbooks/nova/templates/default/sysctl.conf.erb new file mode 100644 index 0000000..8acc235 --- /dev/null +++ b/cookbooks/nova/templates/default/sysctl.conf.erb @@ -0,0 +1,60 @@ + +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 + +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/cookbooks/nscd/metadata.json b/cookbooks/nscd/metadata.json new file mode 100644 index 0000000..414d62a --- /dev/null +++ b/cookbooks/nscd/metadata.json @@ -0,0 +1,52 @@ +{ + "platforms": { + "debian": [ + + ], + "centos": [ + + ], + "ubuntu": [ + + ], + "redhat": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs and configures nscd", + "version": "0.7.0", + "suggestions": { + "openldap": [ + + ] + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "nscd", + "recipes": { + + }, + "dependencies": { + + }, + "long_description": "", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/nscd/metadata.rb b/cookbooks/nscd/metadata.rb new file mode 100644 index 0000000..1d56805 --- /dev/null +++ b/cookbooks/nscd/metadata.rb @@ -0,0 +1,9 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs and configures nscd" +version "0.7" +suggests "openldap" +%w{ redhat centos debian ubuntu }.each do |os| + supports os +end diff --git a/cookbooks/nscd/recipes/default.rb b/cookbooks/nscd/recipes/default.rb new file mode 100644 index 0000000..fca30f2 --- /dev/null +++ b/cookbooks/nscd/recipes/default.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: nscd +# Recipe:: default +# +# Copyright 2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +package "nscd" do + action :upgrade +end + +service "nscd" do + supports :restart => true, :status => true + action [:enable, :start] +end + +%w{ passwd group }.each do |cmd| + execute "nscd-clear-#{cmd}" do + command "/usr/sbin/nscd -i #{cmd}" + action :nothing + end +end diff --git a/cookbooks/openldap/README.rdoc b/cookbooks/openldap/README.rdoc new file mode 100644 index 0000000..161b76a --- /dev/null +++ b/cookbooks/openldap/README.rdoc @@ -0,0 +1,101 @@ += DESCRIPTION: + +Configures a server to be an OpenLDAP master, OpenLDAP replication slave, or OpenLDAP client. + += REQUIREMENTS: + +== Platform: + +Ubuntu 8.10 was primarily used in testing this cookbook. Other Ubuntu versions and Debian may work. CentOS and Red Hat are not fully supported, but we take patches. + +== Recipes: + +* openssh +* nscd + += ATTRIBUTES: + +Be aware of the attributes used by this cookbook and adjust the defaults for your environment where required, in attributes/openldap.rb. + +== Client node attributes + +* openldap[:basedn] - basedn +* openldap[:server] - the LDAP server fully qualified domain name, default 'ldap'.node[:domain]. + +== Server node attributes + +* openldap[:slapd_type] - master | slave +* openldap[:slapd_rid] - unique integer ID, required if type is slave. +* openldap[:slapd_master] - hostname of slapd master, attempts to search for slapd_type master. + +== Apache configuration attributes + +Attributes useful for Apache authentication with LDAP. + +COOK-128 - set automatically based on openldap[:server] and openldap[:basedn] if those attributes are set. openldap[:auth_bindpw] remains nil by default as a default value is not easily predicted. + +* openldap[:auth_type] - determine whether binddn and bindpw are required (openldap no, ad yes) +* openldap[:auth_url] - AuthLDAPURL +* openldap[:auth_binddn] - AuthLDAPBindDN +* openldap[:auth_bindpw] - AuthLDAPBindPassword + += USAGE: + +Edit Rakefile variables for SSL certificate. + +On client systems, + + include_recipe "openldap::auth" + +This will get the required packages and configuration for client systems. This will be required on server systems as well, so this is a good candidate for inclusion in a site-cookbooks/base. + +On server systems, set the server node attributes in the Chef node, or in a JSON attributes file. Include the openldap::server recipe: + + include_recipe "openldap::server" + +When initially installing a brand new LDAP master server on Ubuntu 8.10, the configuration directory may need to be removed and recreated before slapd will start successfully. Doing this programmatically may cause other issues, so fix the directory manually :-). + + $ sudo slaptest -F /etc/ldap/slapd.d + str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) + => ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif + slaptest: bad configuration directory! + +Simply remove the configuration, rerun chef-client. For some reason slapd isn't getting started even though the service resource is notified to start, so start it manually. + + $ sudo rm -rf /etc/ldap/slapd.d/ /etc/ldap/slapd.conf + $ sudo chef-client + $ sudo /etc/init.d/slapd start + +=== A note about certificates + +Certificates created by the Rakefile are self signed. If you have a purchased CA, that can be used. Be sure to update the certificate locations in the templates as required. We suggest copying this cookbook to the site-cookbooks for such modifications, so you can still pull from our master for updates, and then merge your changes in. + +== NEW DIRECTORY: + +If installing for the first time, the initial directory needs to be created. Create an ldif file, and start populating the directory. + +== PASSWORDS: + +Set the password, openldap[:rootpw] for the rootdn in the node's attributes. This should be a password hash generated from slappasswd. The default slappasswd command on Ubuntu 8.10 and Mac OS X 10.5 will generate a SHA1 hash: + + $ slappasswd -s "secretsauce" + {SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/ + +Set this by default in the attributes file, or on the node's entry in the webui. + +== LICENSE & AUTHOR: + +Author:: Joshua Timberman () +Copyright:: 2009, Opscode, Inc + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/cookbooks/openldap/Rakefile b/cookbooks/openldap/Rakefile new file mode 100644 index 0000000..5a8ddfa --- /dev/null +++ b/cookbooks/openldap/Rakefile @@ -0,0 +1,48 @@ +# Rakefile for OpenLDAP cookbook. +# Primarily used for generating SSL certificate(s). +# Extend with other OpenLDAP related tasks as required. + +require 'tempfile' + +COMPANY_NAME = "Company" +SSL_COUNTRY_NAME = "US" +SSL_STATE_NAME = "State" +SSL_LOCALITY_NAME = "City" +SSL_ORGANIZATIONAL_UNIT_NAME = "Operations" +SSL_EMAIL_ADDRESS = "operations@example.com" +CADIR = File.expand_path(File.join(File.dirname(__FILE__), "files", "default", "ssl")) + +desc "Create a new self-signed SSL certificate for FQDN=foo.example.com" +task :ssl_cert do + $expect_verbose = true + fqdn = ENV["FQDN"] + fqdn =~ /^(.+?)\.(.+)$/ + hostname = $1 + domain = $2 + raise "Must provide FQDN!" unless fqdn && hostname && domain + puts "** Creating self signed SSL Certificate for #{fqdn}" + sh("(cd #{CADIR} && openssl genrsa 2048 > #{fqdn}.key)") + sh("(cd #{CADIR} && chmod 644 #{fqdn}.key)") + puts "* Generating Self Signed Certificate Request" + tf = Tempfile.new("#{fqdn}.ssl-conf") + ssl_config = < #{fqdn}.crt)") + sh("(cd #{CADIR} && openssl x509 -noout -fingerprint -text < #{fqdn}.crt > #{fqdn}.info)") + sh("(cd #{CADIR} && cat #{fqdn}.crt #{fqdn}.key > #{fqdn}.pem)") + sh("(cd #{CADIR} && chmod 644 #{fqdn}.pem)") +end \ No newline at end of file diff --git a/cookbooks/openldap/attributes/default.rb b/cookbooks/openldap/attributes/default.rb new file mode 100644 index 0000000..4d8585e --- /dev/null +++ b/cookbooks/openldap/attributes/default.rb @@ -0,0 +1,61 @@ +# Cookbook Name:: openldap +# Attributes:: openldap +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +if domain.length > 0 + default[:openldap][:basedn] = "dc=#{domain.split('.').join(",dc=")}" + default[:openldap][:server] = "ldap.#{domain}" +end + +openldap[:rootpw] = nil + +# File and directory locations for openldap. +case platform +when "redhat","centos" + set[:openldap][:dir] = "/etc/openldap" + set[:openldap][:run_dir] = "/var/run/openldap" + set[:openldap][:module_dir] = "/usr/lib64/openldap" +when "debian","ubuntu" + set[:openldap][:dir] = "/etc/ldap" + set[:openldap][:run_dir] = "/var/run/slapd" + set[:openldap][:module_dir] = "/usr/lib/ldap" +else + set[:openldap][:dir] = "/etc/ldap" + set[:openldap][:run_dir] = "/var/run/slapd" + set[:openldap][:module_dir] = "/usr/lib/ldap" +end + +openldap[:ssl_dir] = "#{openldap[:dir]}/ssl" +openldap[:cafile] = "#{openldap[:ssl_dir]}/ca.crt" + +# Server settings. +openldap[:slapd_type] = nil + +if openldap[:slapd_type] == "slave" + master = search(:nodes, 'openldap_slapd_type:master') + default[:openldap][:slapd_master] = master + default[:openldap][:slapd_replpw] = nil + default[:openldap][:slapd_rid] = 102 +end + +# Auth settings for Apache. +if openldap[:basedn] && openldap[:server] + default[:openldap][:auth_type] = "openldap" + default[:openldap][:auth_binddn] = "ou=people,#{openldap[:basedn]}" + default[:openldap][:auth_bindpw] = nil + default[:openldap][:auth_url] = "ldap://#{openldap[:server]}/#{openldap[:auth_binddn]}?uid?sub?(objecctClass=*)" +end diff --git a/cookbooks/openldap/files/default/common-account b/cookbooks/openldap/files/default/common-account new file mode 100644 index 0000000..c840654 --- /dev/null +++ b/cookbooks/openldap/files/default/common-account @@ -0,0 +1,7 @@ +# Generated by Chef. Local modifications will be overwritten. +# +# /etc/pam.d/common-account - authorization settings common to all services +# +account sufficient pam_unix.so +account [default=bad success=ok user_unknown=ignore] pam_ldap.so + diff --git a/cookbooks/openldap/files/default/common-auth b/cookbooks/openldap/files/default/common-auth new file mode 100644 index 0000000..cc1b137 --- /dev/null +++ b/cookbooks/openldap/files/default/common-auth @@ -0,0 +1,7 @@ +# Generated by Chef. Local modifications will be overwritten. +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +auth sufficient pam_unix.so likeauth nullok_secure +auth sufficient pam_ldap.so use_first_pass + diff --git a/cookbooks/openldap/files/default/common-password b/cookbooks/openldap/files/default/common-password new file mode 100644 index 0000000..7657f20 --- /dev/null +++ b/cookbooks/openldap/files/default/common-password @@ -0,0 +1,7 @@ +# Generated by Chef. Local modifications will be overwritten. +# +# /etc/pam.d/common-password - password-related modules common to all services +# +password sufficient pam_unix.so nullok obscure min=8 max=8 md5 +password sufficient pam_ldap.so + diff --git a/cookbooks/openldap/files/default/common-session b/cookbooks/openldap/files/default/common-session new file mode 100644 index 0000000..518180f --- /dev/null +++ b/cookbooks/openldap/files/default/common-session @@ -0,0 +1,9 @@ +# Generated by Chef. Local modifications will be overwritten. +# +# /etc/pam.d/common-session - session-related modules common to all services +# +session required pam_unix.so +session required pam_mkhomedir.so skel=/etc/skel/ +session required pam_ldap.so +#session optional pam_foreground.so + diff --git a/cookbooks/openldap/files/default/nsswitch.conf b/cookbooks/openldap/files/default/nsswitch.conf new file mode 100644 index 0000000..dd16cd4 --- /dev/null +++ b/cookbooks/openldap/files/default/nsswitch.conf @@ -0,0 +1,21 @@ +# Generated by Chef. Local modifications will be overwritten. +# +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: files ldap +group: files ldap +shadow: files ldap + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/cookbooks/openldap/files/default/slapd.seed b/cookbooks/openldap/files/default/slapd.seed new file mode 100644 index 0000000..5949f66 --- /dev/null +++ b/cookbooks/openldap/files/default/slapd.seed @@ -0,0 +1,21 @@ +slapd slapd/password1 password +slapd slapd/internal/adminpw password +slapd slapd/password2 password +slapd slapd/allow_ldap_v2 boolean false +slapd slapd/password_mismatch note +slapd slapd/suffix_change boolean false +slapd slapd/fix_directory boolean true +slapd slapd/invalid_config boolean true +slapd slapd/slave_databases_require_updateref note +slapd shared/organization string monkey +slapd slapd/upgrade_slapcat_failure note +slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION +slapd slapd/autoconf_modules boolean true +slapd slapd/purge_database boolean false +slapd slapd/domain string monkey.com +slapd slapd/backend select BDB +slapd slapd/no_configuration boolean false +slapd slapd/migrate_ldbm_to_bdb boolean true +slapd slapd/move_old_database boolean true +slapd slapd/dump_database select when needed +slapd slapd/upgrade_slapadd_failure note diff --git a/cookbooks/openldap/metadata.json b/cookbooks/openldap/metadata.json new file mode 100644 index 0000000..c96908c --- /dev/null +++ b/cookbooks/openldap/metadata.json @@ -0,0 +1,275 @@ +{ + "platforms": { + "debian": [ + + ], + "ubuntu": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Configures a server to be an OpenLDAP master, replication slave or client for auth", + "version": "0.9.3", + "suggestions": { + + }, + "attributes": { + "openldap/auth_binddn": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "ou=people,openldap_basedn", + "type": "string", + "recipes": [ + + ], + "description": "Used in auth_url and Apache configs, AuthBindDN", + "display_name": "OpenLDAP Auth BindDN" + }, + "openldap/slapd_rid": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "102", + "type": "string", + "recipes": [ + + ], + "description": "Slave's ID, must be unique", + "display_name": "OpenLDAP Slapd Replication ID" + }, + "openldap/slapd_replpw": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "nil", + "type": "string", + "recipes": [ + + ], + "description": "Password for slaves to replicate from master", + "display_name": "OpenLDAP Slapd Replication Password" + }, + "openldap/server": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "ldap.domain", + "type": "string", + "recipes": [ + + ], + "description": "LDAP Server, used for URIs", + "display_name": "OpenLDAP Server" + }, + "openldap/auth_url": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "ldap://openldap_server/openldap_auth_binddn?uid?sub?(objectClass=*)", + "type": "string", + "recipes": [ + + ], + "description": "Used in Apache configs, AuthLDAPURL", + "display_name": "OpenLDAP Auth URL" + }, + "openldap/cafile": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "openldap_dir_ssl/ca.crt", + "type": "string", + "recipes": [ + + ], + "description": "Location for CA certificate", + "display_name": "OpenLDAP CA File" + }, + "openldap/module_dir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/usr/lib/ldap", + "type": "string", + "recipes": [ + + ], + "description": "Location for OpenLDAP add-on modules", + "display_name": "OpenLDAP Module Directory" + }, + "openldap/run_dir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/var/run/slapd", + "type": "string", + "recipes": [ + + ], + "description": "Run directory for LDAP server processes", + "display_name": "OpenLDAP Run Directory" + }, + "openldap/ssl_dir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "openldap_dir/ssl", + "type": "string", + "recipes": [ + + ], + "description": "Location for LDAP SSL certificates", + "display_name": "OpenLDAP SSL Directory" + }, + "openldap/dir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/etc/ldap", + "type": "string", + "recipes": [ + + ], + "description": "Main configuration directory for OpenLDAP", + "display_name": "OpenLDAP Dir" + }, + "openldap/auth_bindpw": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "nil", + "type": "string", + "recipes": [ + + ], + "description": "Used in Apache configs, AuthBindPassword", + "display_name": "OpenLDAP Auth Bind Password" + }, + "openldap/slapd_master": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "nil", + "type": "string", + "recipes": [ + + ], + "description": "Search nodes for attribute slapd_type master, for slaves", + "display_name": "OpenLDP Slapd Master" + }, + "openldap/slapd_type": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "nil", + "type": "string", + "recipes": [ + + ], + "description": "Whether the server is a master or slave", + "display_name": "OpenLDAP Slapd Type" + }, + "openldap/basedn": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "dc=domain,dc=com", + "type": "string", + "recipes": [ + + ], + "description": "BaseDN for the LDAP directory", + "display_name": "OpenLDAP BaseDN" + }, + "openldap/rootpw": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "nil", + "type": "string", + "recipes": [ + + ], + "description": "Password for 'admin' root user, should be a SHA hash that OpenLDAP supports", + "display_name": "OpenLDAP Root Password" + }, + "openldap/auth_type": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "openldap", + "type": "string", + "recipes": [ + + ], + "description": "Used in Apache configs, AuthBasicProvider", + "display_name": "OpenLDAP Auth Type" + } + }, + "conflicting": { + + }, + "name": "openldap", + "recipes": { + "openldap::auth": "Set up openldap for user authentication", + "openldap": "Empty, use one of the other recipes", + "openldap::server": "Set up openldap to be a slapd server", + "openldap::client": "Install openldap client packages" + }, + "dependencies": { + "nscd": [ + + ], + "openssh": [ + + ] + }, + "long_description": "= DESCRIPTION:\n\nConfigures a server to be an OpenLDAP master, OpenLDAP replication slave, or OpenLDAP client.\n\n= REQUIREMENTS:\n\n== Platform:\n\nUbuntu 8.10 was primarily used in testing this cookbook. Other Ubuntu versions and Debian may work. CentOS and Red Hat are not fully supported, but we take patches.\n\n== Recipes:\n\n* openssh \n* nscd\n\n= ATTRIBUTES:\n\nBe aware of the attributes used by this cookbook and adjust the defaults for your environment where required, in attributes/openldap.rb.\n\n== Client node attributes\n\n* openldap[:basedn] - basedn \n* openldap[:server] - the LDAP server fully qualified domain name, default 'ldap'.node[:domain].\n\n== Server node attributes\n\n* openldap[:slapd_type] - master | slave\n* openldap[:slapd_rid] - unique integer ID, required if type is slave.\n* openldap[:slapd_master] - hostname of slapd master, attempts to search for slapd_type master.\n\n== Apache configuration attributes\n\nAttributes useful for Apache authentication with LDAP.\n\nCOOK-128 - set automatically based on openldap[:server] and openldap[:basedn] if those attributes are set. openldap[:auth_bindpw] remains nil by default as a default value is not easily predicted.\n\n* openldap[:auth_type] - determine whether binddn and bindpw are required (openldap no, ad yes)\n* openldap[:auth_url] - AuthLDAPURL\n* openldap[:auth_binddn] - AuthLDAPBindDN\n* openldap[:auth_bindpw] - AuthLDAPBindPassword\n\n= USAGE:\n\nEdit Rakefile variables for SSL certificate.\n\nOn client systems, \n\n include_recipe \"openldap::auth\"\n \nThis will get the required packages and configuration for client systems. This will be required on server systems as well, so this is a good candidate for inclusion in a site-cookbooks/base.\n\nOn server systems, set the server node attributes in the Chef node, or in a JSON attributes file. Include the openldap::server recipe:\n\n include_recipe \"openldap::server\"\n \nWhen initially installing a brand new LDAP master server on Ubuntu 8.10, the configuration directory may need to be removed and recreated before slapd will start successfully. Doing this programmatically may cause other issues, so fix the directory manually :-).\n\n $ sudo slaptest -F /etc/ldap/slapd.d\n str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38)\n => ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif\n slaptest: bad configuration directory!\n\nSimply remove the configuration, rerun chef-client. For some reason slapd isn't getting started even though the service resource is notified to start, so start it manually. \n\n $ sudo rm -rf /etc/ldap/slapd.d/ /etc/ldap/slapd.conf\n $ sudo chef-client\n $ sudo /etc/init.d/slapd start\n \n=== A note about certificates\n\nCertificates created by the Rakefile are self signed. If you have a purchased CA, that can be used. Be sure to update the certificate locations in the templates as required. We suggest copying this cookbook to the site-cookbooks for such modifications, so you can still pull from our master for updates, and then merge your changes in.\n \n== NEW DIRECTORY:\n\nIf installing for the first time, the initial directory needs to be created. Create an ldif file, and start populating the directory.\n \n== PASSWORDS:\n\nSet the password, openldap[:rootpw] for the rootdn in the node's attributes. This should be a password hash generated from slappasswd. The default slappasswd command on Ubuntu 8.10 and Mac OS X 10.5 will generate a SHA1 hash:\n\n $ slappasswd -s \"secretsauce\"\n {SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/\n \nSet this by default in the attributes file, or on the node's entry in the webui. \n \n== LICENSE & AUTHOR:\n\nAuthor:: Joshua Timberman ()\nCopyright:: 2009, Opscode, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/openldap/metadata.rb b/cookbooks/openldap/metadata.rb new file mode 100644 index 0000000..853f274 --- /dev/null +++ b/cookbooks/openldap/metadata.rb @@ -0,0 +1,99 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Configures a server to be an OpenLDAP master, replication slave or client for auth" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.9.3" +recipe "openldap", "Empty, use one of the other recipes" +recipe "openldap::auth", "Set up openldap for user authentication" +recipe "openldap::client", "Install openldap client packages" +recipe "openldap::server", "Set up openldap to be a slapd server" + +%w{ ubuntu debian }.each do |os| + supports os +end + +%w{ openssh nscd }.each do |cb| + depends cb +end + +attribute "openldap/basedn", + :display_name => "OpenLDAP BaseDN", + :description => "BaseDN for the LDAP directory", + :default => "dc=domain,dc=com" + +attribute "openldap/server", + :display_name => "OpenLDAP Server", + :description => "LDAP Server, used for URIs", + :default => "ldap.domain" + +attribute "openldap/rootpw", + :display_name => "OpenLDAP Root Password", + :description => "Password for 'admin' root user, should be a SHA hash that OpenLDAP supports", + :default => "nil" + +attribute "openldap/dir", + :display_name => "OpenLDAP Dir", + :description => "Main configuration directory for OpenLDAP", + :default => "/etc/ldap" + +attribute "openldap/run_dir", + :display_name => "OpenLDAP Run Directory", + :description => "Run directory for LDAP server processes", + :default => "/var/run/slapd" + +attribute "openldap/module_dir", + :display_name => "OpenLDAP Module Directory", + :description => "Location for OpenLDAP add-on modules", + :default => "/usr/lib/ldap" + +attribute "openldap/ssl_dir", + :display_name => "OpenLDAP SSL Directory", + :description => "Location for LDAP SSL certificates", + :default => "openldap_dir/ssl" + +attribute "openldap/cafile", + :display_name => "OpenLDAP CA File", + :description => "Location for CA certificate", + :default => "openldap_dir_ssl/ca.crt" + +attribute "openldap/slapd_type", + :display_name => "OpenLDAP Slapd Type", + :description => "Whether the server is a master or slave", + :default => "nil" + +attribute "openldap/slapd_master", + :display_name => "OpenLDP Slapd Master", + :description => "Search nodes for attribute slapd_type master, for slaves", + :default => "nil" + +attribute "openldap/slapd_replpw", + :display_name => "OpenLDAP Slapd Replication Password", + :description => "Password for slaves to replicate from master", + :default => "nil" + +attribute "openldap/slapd_rid", + :display_name => "OpenLDAP Slapd Replication ID", + :description => "Slave's ID, must be unique", + :default => "102" + +attribute "openldap/auth_type", + :display_name => "OpenLDAP Auth Type", + :description => "Used in Apache configs, AuthBasicProvider", + :default => "openldap" + +attribute "openldap/auth_binddn", + :display_name => "OpenLDAP Auth BindDN", + :description => "Used in auth_url and Apache configs, AuthBindDN", + :default => "ou=people,openldap_basedn" + +attribute "openldap/auth_bindpw", + :display_name => "OpenLDAP Auth Bind Password", + :description => "Used in Apache configs, AuthBindPassword", + :default => "nil" + +attribute "openldap/auth_url", + :display_name => "OpenLDAP Auth URL", + :description => "Used in Apache configs, AuthLDAPURL", + :default => "ldap://openldap_server/openldap_auth_binddn?uid?sub?(objectClass=*)" + diff --git a/cookbooks/openldap/recipes/auth.rb b/cookbooks/openldap/recipes/auth.rb new file mode 100644 index 0000000..e46c785 --- /dev/null +++ b/cookbooks/openldap/recipes/auth.rb @@ -0,0 +1,70 @@ +# +# Cookbook Name:: openldap +# Recipe:: auth +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "openldap::client" +include_recipe "openssh" +include_recipe "nscd" + +package "libnss-ldap" do + action :upgrade +end + +package "libpam-ldap" do + action :upgrade +end + +template "/etc/ldap.conf" do + source "ldap.conf.erb" + mode 0644 + owner "root" + group "root" +end + +template "/etc/ldap/ldap.conf" do + source "ldap-ldap.conf.erb" + mode 0644 + owner "root" + group "root" +end + +cookbook_file "/etc/nsswitch.conf" do + source "nsswitch.conf" + mode 0644 + owner "root" + group "root" + notifies :restart, resources(:service => "nscd"), :immediately + notifies :run, resources(:execute => [ "nscd-clear-passwd", "nscd-clear-group" ]), :immediately +end + +%w{ account auth password session }.each do |pam| + cookbook_file "/etc/pam.d/common-#{pam}" do + source "common-#{pam}" + mode 0644 + owner "root" + group "root" + notifies :restart, resources(:service => "ssh"), :delayed + end +end + +template "/etc/security/login_access.conf" do + source "login_access.conf.erb" + mode 0644 + owner "root" + group "root" +end diff --git a/cookbooks/openldap/recipes/client.rb b/cookbooks/openldap/recipes/client.rb new file mode 100644 index 0000000..93f009d --- /dev/null +++ b/cookbooks/openldap/recipes/client.rb @@ -0,0 +1,28 @@ +# +# Cookbook Name:: openldap +# Recipe:: client +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package "ldap-utils" do + action :upgrade +end + +directory node[:openldap][:ssl_dir] do + mode 0755 + owner "root" + group "root" +end diff --git a/cookbooks/openldap/recipes/default.rb b/cookbooks/openldap/recipes/default.rb new file mode 100644 index 0000000..5d425c9 --- /dev/null +++ b/cookbooks/openldap/recipes/default.rb @@ -0,0 +1,18 @@ +# +# Cookbook Name:: openldap +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# diff --git a/cookbooks/openldap/recipes/server.rb b/cookbooks/openldap/recipes/server.rb new file mode 100644 index 0000000..30c4344 --- /dev/null +++ b/cookbooks/openldap/recipes/server.rb @@ -0,0 +1,111 @@ +# +# Cookbook Name:: openldap +# Recipe:: server +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +include_recipe "openldap::client" + +case node[:platform] +when "debian","ubuntu" + cookbook_file "/var/cache/local/preseeding/slapd.seed" do + source "slapd.seed" + mode 0600 + owner "root" + group "root" + end +end + +package "db4.8-util" do + action :upgrade +end + +cookbook_file "/var/cache/local/preseeding/slapd.seed" do + source "slapd.seed" + mode 0600 + owner "root" + group "root" +end + +package "slapd" do + case node[:platform] + when "debian","ubuntu" + response_file "/var/cache/local/preseeding/slapd.seed" + end + action :upgrade +end + +#cookbook_file "#{node[:openldap][:ssl_dir]}/#{node[:openldap][:server]}.pem" do +# source "ssl/#{node[:openldap][:server]}.pem" +# mode 0644 +# owner "root" +# group "root" +#end + +service "slapd" do + action [:enable, :start] +end + +case node[:lsb][:codename] +when "intrepid","jaunty" + template "/etc/default/slapd" do + source "default_slapd.erb" + owner "root" + group "root" + mode 0644 + end + + directory "#{node[:openldap][:dir]}/slapd.d" do + recursive true + owner "openldap" + group "openldap" + action :create + end + + execute "slapd-config-convert" do + command "slaptest -f #{node[:openldap][:dir]}/slapd.conf -F #{node[:openldap][:dir]}/slapd.d/" + user "openldap" + action :nothing + notifies :start, resources(:service => "slapd"), :immediately + end + + template "#{node[:openldap][:dir]}/slapd.conf" do + source "slapd.conf.erb" + mode 0640 + owner "openldap" + group "openldap" + notifies :stop, resources(:service => "slapd"), :immediately + notifies :run, resources(:execute => "slapd-config-convert") + end +else + case node[:platform] + when "debian","ubuntu" + template "/etc/default/slapd" do + source "default_slapd.erb" + owner "root" + group "root" + mode 0644 + end + end + + template "#{node[:openldap][:dir]}/slapd.conf" do + source "slapd.conf.erb" + mode 0640 + owner "openldap" + group "openldap" + notifies :restart, resources(:service => "slapd") + end +end + diff --git a/cookbooks/openldap/templates/default/default_slapd.erb b/cookbooks/openldap/templates/default/default_slapd.erb new file mode 100644 index 0000000..48269fa --- /dev/null +++ b/cookbooks/openldap/templates/default/default_slapd.erb @@ -0,0 +1,47 @@ +# Location of the slapd configuration to use. If using the cn=config +# backend to store configuration in LDIF, set this variable to the +# directory containing the cn=config data; otherwise set it to the location +# of your slapd.conf file. If empty, use the compiled-in default +# (/etc/ldap/slapd.d). +SLAPD_CONF=/etc/ldap/slapd.conf + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/cookbooks/openldap/templates/default/ldap-ldap.conf.erb b/cookbooks/openldap/templates/default/ldap-ldap.conf.erb new file mode 100644 index 0000000..479f1ae --- /dev/null +++ b/cookbooks/openldap/templates/default/ldap-ldap.conf.erb @@ -0,0 +1,16 @@ +# +# LDAP Defaults +# +# Generated by Chef for <% node[:hostname] %> +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +BASE <%= node[:openldap][:basedn] %> +TLS_REQCERT never +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never \ No newline at end of file diff --git a/cookbooks/openldap/templates/default/ldap.conf.erb b/cookbooks/openldap/templates/default/ldap.conf.erb new file mode 100644 index 0000000..f5b7db6 --- /dev/null +++ b/cookbooks/openldap/templates/default/ldap.conf.erb @@ -0,0 +1,26 @@ +# +# <%= node[:openldap][:dir] %>.conf generated for <%= node[:hostname] %> +# +# Managed by Chef +# + +host <%= node[:openldap][:server] %> +port 389 +bind_policy soft + +ldap_version 3 + +# Where to find data +base <%= node[:openldap][:basedn] %> +scope sub +nss_base_passwd ou=people,<%= node[:openldap][:basedn] %> +nss_base_shadow ou=people,<%= node[:openldap][:basedn] %> +nss_base_group ou=group,<%= node[:openldap][:basedn] %> +nss_base_automount ou=automount,<%= node[:openldap][:basedn] %> + +# TLS Options +ssl start_tls +tls_checkpeer no + +# Password options +pam_password md5 diff --git a/cookbooks/openldap/templates/default/libnss-ldap.conf.erb b/cookbooks/openldap/templates/default/libnss-ldap.conf.erb new file mode 100644 index 0000000..d7d4f32 --- /dev/null +++ b/cookbooks/openldap/templates/default/libnss-ldap.conf.erb @@ -0,0 +1,23 @@ +# +# libnss-ldap.conf generated for <%= node[:hostname] %> +# +# Managed by Chef +# +# $Id:$ + +host <%= node[:openldap][:server] %> +port 389 +#bind_policy soft +nss_reconnect_tries 2 +ldap_version 3 + +# Where to find data +base <%= node[:openldap][:basedn] %> +scope sub +nss_base_passwd ou=people,<%= node[:openldap][:basedn] %> +nss_base_shadow ou=people,<%= node[:openldap][:basedn] %> +nss_base_group ou=group,<%= node[:openldap][:basedn] %> + +# TLS Options +ssl start_tls +tls_checkpeer no diff --git a/cookbooks/openldap/templates/default/login_access.conf.erb b/cookbooks/openldap/templates/default/login_access.conf.erb new file mode 100644 index 0000000..e227f5b --- /dev/null +++ b/cookbooks/openldap/templates/default/login_access.conf.erb @@ -0,0 +1,16 @@ +# +# /etc/security/login_access.conf +# +# Prepared for <%= node[:fqdn] %> by Chef +# +<% logingroup = node[:hostname] -%> +<% logingroup = node[:hostname].sub(/^(.+?)\d+(.+)$/, '\1-\2-login') -%> +<% rootgroup = node[:hostname].sub(/^(.+?)\d+(.+)$/, '\1-\2-root') -%> + ++:root:ALL ++:admin:ALL ++:<%= logingroup %>:ALL ++:<%= rootgroup %>:ALL + +# Everyone else cannot login +-:ALL:ALL diff --git a/cookbooks/openldap/templates/default/slapd.conf.erb b/cookbooks/openldap/templates/default/slapd.conf.erb new file mode 100644 index 0000000..7dfa590 --- /dev/null +++ b/cookbooks/openldap/templates/default/slapd.conf.erb @@ -0,0 +1,126 @@ +##### +# +# This is a slapd.conf file. See slapd.conf(5) for more info. +# +# Generated by Chef for <%= node[:fqdn] %> +# +# $Id:$ +#### + +# TLS configuration +TLSCertificateFile <%= node[:openldap][:dir] %>/ssl/<%= node[:openldap][:server] %>.pem +TLSCertificateKeyFile <%= node[:openldap][:dir] %>/ssl/<%= node[:openldap][:server] %>.pem + +# Schema and objectClass definitions +include <%= node[:openldap][:dir] %>/schema/core.schema +include <%= node[:openldap][:dir] %>/schema/cosine.schema +include <%= node[:openldap][:dir] %>/schema/nis.schema +include <%= node[:openldap][:dir] %>/schema/inetorgperson.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile <%= node[:openldap][:run_dir] %>/slapd.pid + +# List of arguments that were passed to the server +argsfile <%= node[:openldap][:run_dir] %>/slapd.args + +# Read slapd.conf(5) for possible values +loglevel 0 + +<% unless node[:platform] == "centos" -%> +# Where the dynamically loaded modules are stored +modulepath <%= node[:openldap][:module_dir] %> +moduleload back_hdb +<% if node[:openldap][:slapd_type] == "master" -%> +moduleload syncprov +<% end -%> +<% end -%> + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +# Specific Backend Directives for hdb: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend hdb + +##### +# Database +##### +database hdb +suffix "<%= node[:openldap][:basedn] %>" +rootdn "cn=admin,<%= node[:openldap][:basedn] %>" +rootpw <%= node[:openldap][:rootpw] %> +directory "/var/lib/ldap" +lastmod on + +dbconfig set_cachesize 0 31457280 0 + +# Number of objects that can be locked at the same time. +dbconfig set_lk_max_objects 1500 +# Number of locks (both requested and granted) +dbconfig set_lk_max_locks 1500 +# Number of lockers +dbconfig set_lk_max_lockers 1500 + +## +# Indexes +## +index default pres,eq,approx,sub +index objectClass eq +index cn,ou,sn,uid,l,mail,gecos,memberUid,description +index loginShell,homeDirectory pres,eq,approx +index uidNumber,gidNumber pres,eq + +<% if node[:openldap][:slapd_type] == "master" -%> +overlay syncprov +syncprov-checkpoint 100 10 +syncprov-sessionlog 100 +<% else -%> +syncrepl rid=<%= node[:openldap][:slapd_rid] %> + provider=ldap://<%= node[:openldap][:slapd_master] %>:389 + type=refreshAndPersist + interval=01:00:00:00 + searchbase="<%= node[:openldap][:basedn] %>" + filter="(objectClass=*)" + scope=sub + schemachecking=off + bindmethod=simple + binddn="cn=syncrole,<%= node[:openldap][:basedn] %>" + starttls=yes + credentials="<%= node[:openldap][:slapd_replpw] %>" +<% end -%> +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword,shadowLastChange + by group.exact="cn=administrators,<%= node[:openldap][:basedn] %>" write + by dn="cn=syncrole,<%= node[:openldap][:basedn] %>" read + by anonymous auth + by self write + by * none + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by group.exact="cn=administrators,<%= node[:openldap][:basedn] %>" write + by dn="cn=syncrole,<%= node[:openldap][:basedn] %>" read + by * read diff --git a/cookbooks/openssh/metadata.json b/cookbooks/openssh/metadata.json new file mode 100644 index 0000000..30f1e2d --- /dev/null +++ b/cookbooks/openssh/metadata.json @@ -0,0 +1,53 @@ +{ + "platforms": { + "debian": [ + + ], + "fedora": [ + + ], + "centos": [ + + ], + "ubuntu": [ + + ], + "redhat": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs openssh", + "version": "0.7.0", + "suggestions": { + + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "openssh", + "recipes": { + + }, + "dependencies": { + + }, + "long_description": "", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/openssh/metadata.rb b/cookbooks/openssh/metadata.rb new file mode 100644 index 0000000..39894c5 --- /dev/null +++ b/cookbooks/openssh/metadata.rb @@ -0,0 +1,9 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs openssh" +version "0.7" + +%w{ redhat centos fedora ubuntu debian }.each do |os| + supports os +end diff --git a/cookbooks/openssh/recipes/default.rb b/cookbooks/openssh/recipes/default.rb new file mode 100644 index 0000000..0757bc2 --- /dev/null +++ b/cookbooks/openssh/recipes/default.rb @@ -0,0 +1,41 @@ +# +# Cookbook Name:: openssh +# Recipe:: default +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +packages = case node[:platform] + when "centos","redhat","fedora" + %w{openssh-clients openssh} + else + %w{openssh-client openssh-server} + end + +packages.each do |pkg| + package pkg +end + +service "ssh" do + case node[:platform] + when "centos","redhat","fedora" + service_name "sshd" + else + service_name "ssh" + end + supports :restart => true + action [ :enable, :start ] +end + diff --git a/cookbooks/openssh/templates/default/port_ssh.erb b/cookbooks/openssh/templates/default/port_ssh.erb new file mode 100644 index 0000000..9265619 --- /dev/null +++ b/cookbooks/openssh/templates/default/port_ssh.erb @@ -0,0 +1,2 @@ +# SSH +-A FWR -p tcp -m tcp --dport 22 -j ACCEPT \ No newline at end of file diff --git a/cookbooks/openssl/README.rdoc b/cookbooks/openssl/README.rdoc new file mode 100644 index 0000000..47d6727 --- /dev/null +++ b/cookbooks/openssl/README.rdoc @@ -0,0 +1,33 @@ += DESCRIPTION: + +Library provides a method to generate secure passwords for use in recipes. + += REQUIREMENTS: + +OpenSSL Ruby bindings must be installed, which are a requirement for Chef anyway. + += USAGE: + +Most often this will be used to generate a secure password for an attribute. + + include Opscode::OpenSSL::Password + + set_unless[:my_password] = secure_password + += LICENSE and AUTHOR: + +Author:: Joshua Timberman () + +Copyright:: 2009, Opscode, Inc + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/cookbooks/openssl/libraries/secure_password.rb b/cookbooks/openssl/libraries/secure_password.rb new file mode 100644 index 0000000..e5fd638 --- /dev/null +++ b/cookbooks/openssl/libraries/secure_password.rb @@ -0,0 +1,37 @@ +# +# Cookbook Name:: openssl +# Library:: secure_password +# Author:: Joshua Timberman +# +# Copyright 2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'openssl' + +module Opscode + module OpenSSL + module Password + def secure_password + pw = String.new + + while pw.length < 20 + pw << ::OpenSSL::Random.random_bytes(1).gsub(/\W/, '') + end + + pw + end + end + end +end diff --git a/cookbooks/openssl/metadata.json b/cookbooks/openssl/metadata.json new file mode 100644 index 0000000..a45758e --- /dev/null +++ b/cookbooks/openssl/metadata.json @@ -0,0 +1,39 @@ +{ + "platforms": { + + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs/Configures openssl", + "version": "0.1.0", + "suggestions": { + + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "openssl", + "recipes": { + + }, + "dependencies": { + + }, + "long_description": "= DESCRIPTION:\n\nLibrary provides a method to generate secure passwords for use in recipes.\n\n= REQUIREMENTS:\n\nOpenSSL Ruby bindings must be installed, which are a requirement for Chef anyway.\n\n= USAGE:\n\nMost often this will be used to generate a secure password for an attribute.\n\n include Opscode::OpenSSL::Password\n\n set_unless[:my_password] = secure_password\n\n= LICENSE and AUTHOR:\n\nAuthor:: Joshua Timberman ()\n\nCopyright:: 2009, Opscode, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/openssl/metadata.rb b/cookbooks/openssl/metadata.rb new file mode 100644 index 0000000..ae2a684 --- /dev/null +++ b/cookbooks/openssl/metadata.rb @@ -0,0 +1,6 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs/Configures openssl" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.1" diff --git a/cookbooks/openssl/recipes/default.rb b/cookbooks/openssl/recipes/default.rb new file mode 100644 index 0000000..9850a28 --- /dev/null +++ b/cookbooks/openssl/recipes/default.rb @@ -0,0 +1,19 @@ +# +# Cookbook Name:: openssl +# Recipe:: default +# +# Copyright 2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + diff --git a/cookbooks/python-ldap/README.rdoc b/cookbooks/python-ldap/README.rdoc new file mode 100644 index 0000000..3de2ec7 --- /dev/null +++ b/cookbooks/python-ldap/README.rdoc @@ -0,0 +1,8 @@ += DESCRIPTION: + += REQUIREMENTS: + += ATTRIBUTES: + += USAGE: + diff --git a/cookbooks/python-ldap/metadata.json b/cookbooks/python-ldap/metadata.json new file mode 100644 index 0000000..06a9279 --- /dev/null +++ b/cookbooks/python-ldap/metadata.json @@ -0,0 +1,39 @@ +{ + "platforms": { + + }, + "maintainer": "Adam Jacob", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "adam@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs/Configures python-ldap", + "version": "0.0.1", + "suggestions": { + + }, + "attributes": { + + }, + "conflicting": { + + }, + "name": "python-ldap", + "recipes": { + + }, + "dependencies": { + + }, + "long_description": "= DESCRIPTION:\n\n= REQUIREMENTS:\n\n= ATTRIBUTES:\n\n= USAGE:\n\n", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/python-ldap/metadata.rb b/cookbooks/python-ldap/metadata.rb new file mode 100644 index 0000000..4efd758 --- /dev/null +++ b/cookbooks/python-ldap/metadata.rb @@ -0,0 +1,6 @@ +maintainer "Adam Jacob" +maintainer_email "adam@opscode.com" +license "Apache 2.0" +description "Installs/Configures python-ldap" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.0.1" diff --git a/cookbooks/python-ldap/recipes/default.rb b/cookbooks/python-ldap/recipes/default.rb new file mode 100644 index 0000000..8f4ea01 --- /dev/null +++ b/cookbooks/python-ldap/recipes/default.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: python-ldap +# Recipe:: default +# +# Copyright 2010, Adam Jacob +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package "python-ldap" diff --git a/cookbooks/rabbitmq/README b/cookbooks/rabbitmq/README new file mode 100644 index 0000000..a5d2b80 --- /dev/null +++ b/cookbooks/rabbitmq/README @@ -0,0 +1,7 @@ +This is a cookbook for managing RabbitMQ with Chef. It has sane defaults, but can also be configured via attributes. It is quite useful as is, but has two areas for improvement: + +1) While it can create cluster configuration files, it does not currently do the dance to join the cluster members to each other. + +2) The Erlang run parameters are currently an opaque string. They should really be a set of tunables to be manipulated by name. + +Share and enjoy! \ No newline at end of file diff --git a/cookbooks/rabbitmq/attributes/rabbitmq.rb b/cookbooks/rabbitmq/attributes/rabbitmq.rb new file mode 100644 index 0000000..2e78fe2 --- /dev/null +++ b/cookbooks/rabbitmq/attributes/rabbitmq.rb @@ -0,0 +1,12 @@ +default[:rabbitmq][:nodename] = "rabbit" +default[:rabbitmq][:address] = "0.0.0.0" +default[:rabbitmq][:port] = "5672" +default[:rabbitmq][:erl_args] = "+K true +A 30 \ +-kernel inet_default_listen_options [{nodelay,true},{sndbuf,16384},{recbuf,4096}] \ +-kernel inet_default_connect_options [{nodelay,true}]" +default[:rabbitmq][:start_args] = "" +default[:rabbitmq][:logdir] = "/var/log/rabbitmq" +default[:rabbitmq][:mnesiadir] = "/var/lib/rabbitmq/mnesia" +default[:rabbitmq][:cluster] = "no" +default[:rabbitmq][:cluster_config] = "/etc/rabbitmq/rabbitmq_cluster.config" +default[:rabbitmq][:cluster_disk_nodes] = [] diff --git a/cookbooks/rabbitmq/metadata.json b/cookbooks/rabbitmq/metadata.json new file mode 100644 index 0000000..0307eda --- /dev/null +++ b/cookbooks/rabbitmq/metadata.json @@ -0,0 +1,183 @@ +{ + "platforms": { + "debian": [ + + ], + "ubuntu": [ + + ] + }, + "maintainer": "Benjamin Black", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "b@b3k.us", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs and configures RabbitMQ server", + "version": "0.1.0", + "suggestions": { + + }, + "attributes": { + "rabbitmq/cluster": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "no", + "type": "string", + "recipes": [ + + ], + "description": "Whether to activate clustering. The default is no.", + "display_name": "RabbitMQ clustering" + }, + "rabbitmq/erlang_cookie": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "type": "string", + "recipes": [ + + ], + "description": "Access cookie for clustering nodes. There is no default.", + "display_name": "RabbitMQ Erlang cookie" + }, + "rabbitmq/nodename": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "rabbit", + "type": "string", + "recipes": [ + + ], + "description": "The Erlang node name for this server. The default is rabbit.", + "display_name": "RabbitMQ Erlang node name" + }, + "rabbitmq/mnesiadir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/var/lib/rabbitmq/mnesia", + "type": "string", + "recipes": [ + + ], + "description": "Path to the directory for Mnesia database files. The default is /var/lib/rabbitmq/mnesia.", + "display_name": "RabbitMQ Mnesia database directory" + }, + "rabbitmq/cluster_config": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/etc/rabbitmq/rabbitmq_cluster.config", + "type": "string", + "recipes": [ + + ], + "description": "Path to the clustering configuration file, if cluster is yes. The default is /etc/rabbitmq/rabbitmq_cluster.config.", + "display_name": "RabbitMQ clustering configuration file" + }, + "rabbitmq/logdir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/var/log/rabbitmq", + "type": "string", + "recipes": [ + + ], + "description": "Path to the directory for log files. The default is /var/log/rabbitmq.", + "display_name": "RabbitMQ log directory" + }, + "rabbitmq/cluster_disk_nodes": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": [ + + ], + "type": "array", + "recipes": [ + + ], + "description": "Array of member Erlang nodenames for the disk-based storage nodes in the cluster. The default is [].", + "display_name": "RabbitMQ cluster disk nodes" + }, + "rabbitmq/address": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "0.0.0.0", + "type": "string", + "recipes": [ + + ], + "description": "IP address to bind. The default is any.", + "display_name": "RabbitMQ server IP address" + }, + "rabbitmq/port": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "5672", + "type": "string", + "recipes": [ + + ], + "description": "TCP port to bind. The default is 5672.", + "display_name": "RabbitMQ server port" + }, + "rabbitmq": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "type": "hash", + "recipes": [ + + ], + "description": "Hash of RabbitMQ attributes", + "display_name": "RabbitMQ" + } + }, + "conflicting": { + + }, + "name": "rabbitmq", + "recipes": { + "rabbitmq::cluster": "Set up RabbitMQ clustering." + }, + "dependencies": { + + }, + "long_description": "", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/rabbitmq/metadata.rb b/cookbooks/rabbitmq/metadata.rb new file mode 100644 index 0000000..2186cea --- /dev/null +++ b/cookbooks/rabbitmq/metadata.rb @@ -0,0 +1,61 @@ +maintainer "Benjamin Black" +maintainer_email "b@b3k.us" +license "Apache 2.0" +description "Installs and configures RabbitMQ server" +version "0.1" +recipe "rabbitmq::cluster", "Set up RabbitMQ clustering." + +%w{ubuntu debian}.each do |os| + supports os +end + +attribute "rabbitmq", + :display_name => "RabbitMQ", + :description => "Hash of RabbitMQ attributes", + :type => "hash" + +attribute "rabbitmq/nodename", + :display_name => "RabbitMQ Erlang node name", + :description => "The Erlang node name for this server. The default is rabbit.", + :default => "rabbit" + +attribute "rabbitmq/address", + :display_name => "RabbitMQ server IP address", + :description => "IP address to bind. The default is any.", + :default => "0.0.0.0" + +attribute "rabbitmq/port", + :display_name => "RabbitMQ server port", + :description => "TCP port to bind. The default is 5672.", + :default => "5672" + +attribute "rabbitmq/logdir", + :display_name => "RabbitMQ log directory", + :description => "Path to the directory for log files. The default is /var/log/rabbitmq.", + :default => "/var/log/rabbitmq" + +attribute "rabbitmq/mnesiadir", + :display_name => "RabbitMQ Mnesia database directory", + :description => "Path to the directory for Mnesia database files. The default is /var/lib/rabbitmq/mnesia.", + :default => "/var/lib/rabbitmq/mnesia" + +attribute "rabbitmq/cluster", + :display_name => "RabbitMQ clustering", + :description => "Whether to activate clustering. The default is no.", + :default => "no" + +attribute "rabbitmq/cluster_config", + :display_name => "RabbitMQ clustering configuration file", + :description => "Path to the clustering configuration file, if cluster is yes. The default is /etc/rabbitmq/rabbitmq_cluster.config.", + :default => "/etc/rabbitmq/rabbitmq_cluster.config" + +attribute "rabbitmq/cluster_disk_nodes", + :display_name => "RabbitMQ cluster disk nodes", + :description => "Array of member Erlang nodenames for the disk-based storage nodes in the cluster. The default is [].", + :default => [], + :type => "array" + +attribute "rabbitmq/erlang_cookie", + :display_name => "RabbitMQ Erlang cookie", + :description => "Access cookie for clustering nodes. There is no default." + \ No newline at end of file diff --git a/cookbooks/rabbitmq/recipes/cluster.rb b/cookbooks/rabbitmq/recipes/cluster.rb new file mode 100644 index 0000000..9191f6a --- /dev/null +++ b/cookbooks/rabbitmq/recipes/cluster.rb @@ -0,0 +1,35 @@ +# +# Cookbook Name:: rabbitmq +# Recipe:: cluster +# +# Copyright 2009, Benjamin Black +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +include_recipe "rabbitmq::default" + +template "/var/lib/rabbitmq/.erlang.cookie" do + source "doterlang.cookie.erb" + owner "rabbitmq" + group "rabbitmq" + mode 0400 +end + +template "/etc/rabbitmq/rabbitmq_cluster.config" do + source "rabbitmq_cluster.config.erb" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "rabbitmq-server") +end + diff --git a/cookbooks/rabbitmq/recipes/default.rb b/cookbooks/rabbitmq/recipes/default.rb new file mode 100644 index 0000000..e4464ea --- /dev/null +++ b/cookbooks/rabbitmq/recipes/default.rb @@ -0,0 +1,35 @@ +# +# Cookbook Name:: rabbitmq +# Recipe:: default +# +# Copyright 2009, Benjamin Black +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package "rabbitmq-server" do + action :install +end + +service "rabbitmq-server" do + supports :status => true, :restart => true, :reload => true + action [ :enable, :start ] +end + +template "/etc/rabbitmq/rabbitmq.conf" do + source "rabbitmq.config.erb" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "rabbitmq-server") +end diff --git a/cookbooks/rabbitmq/templates/default/doterlang.cookie.erb b/cookbooks/rabbitmq/templates/default/doterlang.cookie.erb new file mode 100644 index 0000000..e143dc6 --- /dev/null +++ b/cookbooks/rabbitmq/templates/default/doterlang.cookie.erb @@ -0,0 +1 @@ +<%= @node[:rabbitmq][:erlang_cookie] %> \ No newline at end of file diff --git a/cookbooks/rabbitmq/templates/default/rabbitmq.config.erb b/cookbooks/rabbitmq/templates/default/rabbitmq.config.erb new file mode 100644 index 0000000..cbc64d9 --- /dev/null +++ b/cookbooks/rabbitmq/templates/default/rabbitmq.config.erb @@ -0,0 +1,12 @@ +### +# Generated by Chef for <%= @node[:fqdn] %> +### + +NODENAME=<%= @node[:rabbitmq][:nodename] %> +NODE_IP_ADDRESS=<%= @node[:rabbitmq][:address] %> +NODE_PORT=<%= @node[:rabbitmq][:port] %> +SERVER_ERL_ARGS=<%= @node[:rabbitmq][:erl_args] %> +CLUSTER_CONFIG_FILE=<%= @node[:rabbitmq][:cluster_config] %> +LOG_BASE=<%= @node[:rabbitmq][:logdir] %> +MNESIA_BASE=<%= @node[:rabbitmq][:mnesiadir] %> +SERVER_START_ARGS=<%= @node[:rabbitmq][:start_args] %> diff --git a/cookbooks/rabbitmq/templates/default/rabbitmq_cluster.config.erb b/cookbooks/rabbitmq/templates/default/rabbitmq_cluster.config.erb new file mode 100644 index 0000000..0be2da7 --- /dev/null +++ b/cookbooks/rabbitmq/templates/default/rabbitmq_cluster.config.erb @@ -0,0 +1,5 @@ +%%% +%% Generated by Chef for <%= @node[:fqdn] %> +%%% + +[<%= @node[:rabbitmq][:cluster_disk_nodes].map{|n| "\'#{n}\'"}.join(',') %>]. diff --git a/cookbooks/ruby/README.rdoc b/cookbooks/ruby/README.rdoc new file mode 100644 index 0000000..48147ae --- /dev/null +++ b/cookbooks/ruby/README.rdoc @@ -0,0 +1,60 @@ += DESCRIPTION: + +Installs Ruby and related packages. + += REQUIREMENTS: + +== Platform: + +Tested on Ubuntu 10.04. Debian and Gentoo should also work fully. CentOS, Red Hat, Fedora and Arch are partially supported. + += ATTRIBUTES: + +* +languages[:ruby][:default_version]+ - The Ruby version to install with the ruby recipe and create symlinks for with the symlinks recipe. + += USAGE: + +Previous versions of this cookbook gave you no control over which version of Ruby would be installed. We are now in the middle of an awkward period where you are equally likely to want 1.8 or 1.9. You may even want both. This is now catered for. To install specific versions side-by-side, use the 1.8, 1.9 or 1.9.1 recipes. The ruby recipe will install the version specified by +languages[:ruby][:default_version]+. If you want to do something other than install these packages, the +ruby_packages+ definition is provided as a wrapper around the package resource. Just specify the version number. + +For example, to use the default recipe in a role named "base", use 'ruby' in the run list and set the +languages[:ruby][:default_version]+ attribute: + + { + "name": "base", + "description": "Base role is applied to all systems", + "json_class": "Chef::Role", + "default_attributes": { + }, + "override_attributes": { + "languages": { + "ruby": { + "default_version": "1.8" + } + } + }, + "chef_type": "role", + "run_list": [ + "recipe[ruby]" + ] + } + +Many scripts, including those provided by Rails, don't ask for a particular version of Ruby such as "ruby1.8" and simply look for "ruby" instead. Sometimes a symlink is provided and sometimes the executable is simply called "ruby" in the first place but generally speaking, it is difficult to predict this behaviour, especially when Ruby Gems is thrown into the mix. The symlinks recipe seeks to relieve you of this headache by creating symlinks for the common executables pointing to the Ruby version specified by +languages[:ruby][:default_version]+. This is also available as a definition called +ruby_symlinks+, which is a wrapper around the link resource. As before, just specify the version number. Non-symlinks will not be overwritten unless you set force to true. You can also set a path other than /usr/bin if necessary. + +*IMPORTANT!* Only Ubuntu, Debian and Gentoo support installing a specific Ruby version at all. yum-based distributions install 1.8 by default but require you to give the full package version otherwise. Maybe some magic could be added to Chef? Arch installs 1.9.2 by default but 1.8 is only available from AUR. Additionally, Ubuntu and Debian group 1.9.2 with 1.9.1 while Gentoo lumps all 1.9 releases together. + += LICENSE and AUTHOR: + +Author:: Joshua Timberman (), James Le Cuirot () + +Copyright:: 2009-2010, Opscode, Inc; 2010, FindsYou Limited + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/cookbooks/ruby/definitions/ruby_packages.rb b/cookbooks/ruby/definitions/ruby_packages.rb new file mode 100644 index 0000000..5de97ef --- /dev/null +++ b/cookbooks/ruby/definitions/ruby_packages.rb @@ -0,0 +1,77 @@ +# +# Cookbook Name:: ruby +# Definition:: ruby_packages +# +# Copyright 2008-2009, Opscode, Inc. +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +define :ruby_packages, :action => :install do + rv = params[:name].to_s + raise "A Ruby version such as 1.8, 1.9 or 1.9.1 must be given" if rv.empty? + + packages = case node[:platform] + when "ubuntu","debian" + [ + "ruby#{rv}", + "ruby#{rv}-dev", + "ri#{rv}", + ("libshadow-ruby1.8" if rv == "1.8") + ].compact + + when "gentoo" + rv = rv.slice(0..2) + target = "ruby" + rv.delete('.') + + [ + # ruby-ssl is before ruby to ensure that ruby is initially + # installed with the ssl USE flag enabled. + "virtual/ruby-ssl:#{target}", + "dev-lang/ruby:#{rv}", + "virtual/ruby-rdoc:#{target}", + ("dev-ruby/ruby-shadow" if rv == "1.8") + ].compact + + when "centos","redhat","fedora" + # yum requires full version numbers. :( + %w{ + ruby + ruby-libs + ruby-devel + ruby-docs + ruby-ri + ruby-irb + ruby-rdoc + ruby-mode + } + + when "arch" + # 1.8 only available from AUR. :( + %w{ + ruby + ruby-docs + } + end + + unless packages.nil? + packages.each do |pkg| + p=package pkg do + action params[:action] + end + p.run_action(params[:action]) + + end + end +end diff --git a/cookbooks/ruby/definitions/ruby_symlinks.rb b/cookbooks/ruby/definitions/ruby_symlinks.rb new file mode 100644 index 0000000..2e45e3a --- /dev/null +++ b/cookbooks/ruby/definitions/ruby_symlinks.rb @@ -0,0 +1,42 @@ +# +# Cookbook Name:: ruby +# Definition:: ruby_symlinks +# +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +define :ruby_symlinks, :action => :create, :force => false, :path => '/usr/bin' do + rv = params[:name].to_s + rv = rv.slice(0..2).delete(".") if node[:platform] == "gentoo" + + %w( ruby irb erb ri testrb rdoc gem rake ).each do |name| + path = File.join(params[:path], name) + scope = self + + link path do + to path + rv + action params[:action] + + unless params[:force] + not_if do + if File.exists?(path) and not File.symlink?(path) + scope.log "Not modifying non-symbolic-link #{path}" + true + end + end + end + end + end +end diff --git a/cookbooks/ruby/metadata.json b/cookbooks/ruby/metadata.json new file mode 100644 index 0000000..36123fd --- /dev/null +++ b/cookbooks/ruby/metadata.json @@ -0,0 +1,79 @@ +{ + "platforms": { + "debian": [ + + ], + "fedora": [ + + ], + "centos": [ + + ], + "arch": [ + + ], + "gentoo": [ + + ], + "ubuntu": [ + + ], + "redhat": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs Ruby and related packages", + "version": "0.9.0", + "suggestions": { + + }, + "attributes": { + "languages/ruby/default_version": { + "required": "optional", + "calculated": false, + "choice": [ + "1.8", + "1.9", + "1.9.1" + ], + "default": "1.8", + "type": "string", + "recipes": [ + "ruby", + "symlinks" + ], + "description": "The Ruby version to install with the ruby recipe and create symlinks for with the symlinks recipe. Unfortunately this setting only works fully on Ubuntu, Debian and Gentoo.", + "display_name": "Default Ruby version" + } + }, + "conflicting": { + + }, + "name": "ruby", + "recipes": { + "symlinks": "Installs symlinks for the default Ruby version", + "1.9.1": "Installs Ruby 1.9.1 and related packages", + "1.8": "Installs Ruby 1.8 and related packages", + "1.9": "Installs Ruby 1.9 and related packages", + "ruby": "Installs Ruby and related packages" + }, + "dependencies": { + + }, + "long_description": "= DESCRIPTION:\n\nInstalls Ruby and related packages.\n\n= REQUIREMENTS:\n\n== Platform:\n\nTested on Ubuntu 10.04. Debian and Gentoo should also work fully. CentOS, Red Hat, Fedora and Arch are partially supported.\n\n= ATTRIBUTES:\n\n* +languages[:ruby][:default_version]+ - The Ruby version to install with the ruby recipe and create symlinks for with the symlinks recipe.\n\n= USAGE:\n\nPrevious versions of this cookbook gave you no control over which version of Ruby would be installed. We are now in the middle of an awkward period where you are equally likely to want 1.8 or 1.9. You may even want both. This is now catered for. To install specific versions side-by-side, use the 1.8, 1.9 or 1.9.1 recipes. The ruby recipe will install the version specified by +languages[:ruby][:default_version]+. If you want to do something other than install these packages, the +ruby_packages+ definition is provided as a wrapper around the package resource. Just specify the version number.\n\nFor example, to use the default recipe in a role named \"base\", use 'ruby' in the run list and set the +languages[:ruby][:default_version]+ attribute:\n\n {\n \"name\": \"base\",\n \"description\": \"Base role is applied to all systems\",\n \"json_class\": \"Chef::Role\",\n \"default_attributes\": {\n },\n \"override_attributes\": {\n \"languages\": {\n \"ruby\": {\n \"default_version\": \"1.8\"\n }\n }\n },\n \"chef_type\": \"role\",\n \"run_list\": [\n \"recipe[ruby]\"\n ]\n }\n\nMany scripts, including those provided by Rails, don't ask for a particular version of Ruby such as \"ruby1.8\" and simply look for \"ruby\" instead. Sometimes a symlink is provided and sometimes the executable is simply called \"ruby\" in the first place but generally speaking, it is difficult to predict this behaviour, especially when Ruby Gems is thrown into the mix. The symlinks recipe seeks to relieve you of this headache by creating symlinks for the common executables pointing to the Ruby version specified by +languages[:ruby][:default_version]+. This is also available as a definition called +ruby_symlinks+, which is a wrapper around the link resource. As before, just specify the version number. Non-symlinks will not be overwritten unless you set force to true. You can also set a path other than /usr/bin if necessary.\n\n*IMPORTANT!* Only Ubuntu, Debian and Gentoo support installing a specific Ruby version at all. yum-based distributions install 1.8 by default but require you to give the full package version otherwise. Maybe some magic could be added to Chef? Arch installs 1.9.2 by default but 1.8 is only available from AUR. Additionally, Ubuntu and Debian group 1.9.2 with 1.9.1 while Gentoo lumps all 1.9 releases together.\n\n= LICENSE and AUTHOR:\n\nAuthor:: Joshua Timberman (), James Le Cuirot ()\n\nCopyright:: 2009-2010, Opscode, Inc; 2010, FindsYou Limited\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/ruby/metadata.rb b/cookbooks/ruby/metadata.rb new file mode 100644 index 0000000..9ab210d --- /dev/null +++ b/cookbooks/ruby/metadata.rb @@ -0,0 +1,23 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs Ruby and related packages" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.9.0" + +recipe "ruby", "Installs Ruby and related packages" +recipe "1.8", "Installs Ruby 1.8 and related packages" +recipe "1.9", "Installs Ruby 1.9 and related packages" +recipe "1.9.1", "Installs Ruby 1.9.1 and related packages" +recipe "symlinks", "Installs symlinks for the default Ruby version" + +attribute "languages/ruby/default_version", + :display_name => "Default Ruby version", + :recipes => [ "ruby", "symlinks" ], + :choice => [ "1.8", "1.9", "1.9.1" ], + :default => "1.8", + :description => "The Ruby version to install with the ruby recipe and create symlinks for with the symlinks recipe. Unfortunately this setting only works fully on Ubuntu, Debian and Gentoo." + +%w{ centos redhat fedora ubuntu debian arch gentoo }.each do |os| + supports os +end diff --git a/cookbooks/ruby/recipes/1.8.rb b/cookbooks/ruby/recipes/1.8.rb new file mode 100644 index 0000000..559db9d --- /dev/null +++ b/cookbooks/ruby/recipes/1.8.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: ruby +# Recipe:: 1.8 +# +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ruby_packages "1.8" diff --git a/cookbooks/ruby/recipes/1.9.1.rb b/cookbooks/ruby/recipes/1.9.1.rb new file mode 100644 index 0000000..e3e8cfa --- /dev/null +++ b/cookbooks/ruby/recipes/1.9.1.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: ruby +# Recipe:: 1.9.1 +# +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ruby_packages "1.9.1" diff --git a/cookbooks/ruby/recipes/1.9.rb b/cookbooks/ruby/recipes/1.9.rb new file mode 100644 index 0000000..70bfe21 --- /dev/null +++ b/cookbooks/ruby/recipes/1.9.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: ruby +# Recipe:: 1.9 +# +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ruby_packages "1.9" diff --git a/cookbooks/ruby/recipes/default.rb b/cookbooks/ruby/recipes/default.rb new file mode 100644 index 0000000..9a7964e --- /dev/null +++ b/cookbooks/ruby/recipes/default.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: ruby +# Recipe:: default +# +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ruby_packages node[:languages][:ruby][:default_version] || "1.8" diff --git a/cookbooks/ruby/recipes/symlinks.rb b/cookbooks/ruby/recipes/symlinks.rb new file mode 100644 index 0000000..60ef6cf --- /dev/null +++ b/cookbooks/ruby/recipes/symlinks.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: ruby +# Recipe:: symlinks +# +# Copyright 2010, FindsYou Limited +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ruby_symlinks node[:languages][:ruby][:default_version] || "1.8" diff --git a/cookbooks/runit/attributes/default.rb b/cookbooks/runit/attributes/default.rb new file mode 100644 index 0000000..143b420 --- /dev/null +++ b/cookbooks/runit/attributes/default.rb @@ -0,0 +1,31 @@ +# +# Cookbook Name:: runit +# Attribute File:: sv_bin +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +case platform +when "ubuntu","debian" + set[:runit][:sv_bin] = "/usr/bin/sv" + set[:runit][:chpst_bin] = "/usr/bin/chpst" + set[:runit][:service_dir] = "/etc/service" + set[:runit][:sv_dir] = "/etc/sv" +when "gentoo" + set[:runit][:sv_bin] = "/usr/bin/sv" + set[:runit][:chpst_bin] = "/usr/bin/chpst" + set[:runit][:service_dir] = "/etc/service" + set[:runit][:sv_dir] = "/var/service" +end diff --git a/cookbooks/runit/definitions/runit_service.rb b/cookbooks/runit/definitions/runit_service.rb new file mode 100644 index 0000000..326f9e2 --- /dev/null +++ b/cookbooks/runit/definitions/runit_service.rb @@ -0,0 +1,159 @@ +# +# Cookbook Name:: runit +# Definition:: runit_service +# +# Copyright 2008-2009, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +define :runit_service, :directory => nil, :only_if => false, :finish_script => false, :control => [], :run_restart => true, :active_directory => nil, :owner => "root", :group => "root", :template_name => nil, :start_command => "start", :stop_command => "stop", :restart_command => "restart", :status_command => "status", :options => Hash.new, :env => Hash.new do + include_recipe "runit" + + params[:directory] ||= node[:runit][:sv_dir] + params[:active_directory] ||= node[:runit][:service_dir] + params[:template_name] ||= params[:name] + + sv_dir_name = "#{params[:directory]}/#{params[:name]}" + service_dir_name = "#{params[:active_directory]}/#{params[:name]}" + params[:options].merge!(:env_dir => "#{sv_dir_name}/env") unless params[:env].empty? + + directory sv_dir_name do + owner params[:owner] + group params[:group] + mode 0755 + action :create + end + + directory "#{sv_dir_name}/log" do + owner params[:owner] + group params[:group] + mode 0755 + action :create + end + + directory "#{sv_dir_name}/log/main" do + owner params[:owner] + group params[:group] + mode 0755 + action :create + end + + template "#{sv_dir_name}/run" do + owner params[:owner] + group params[:group] + mode 0755 + source "sv-#{params[:template_name]}-run.erb" + cookbook params[:cookbook] if params[:cookbook] + if params[:options].respond_to?(:has_key?) + variables :options => params[:options] + end + end + + template "#{sv_dir_name}/log/run" do + owner params[:owner] + group params[:group] + mode 0755 + source "sv-#{params[:template_name]}-log-run.erb" + cookbook params[:cookbook] if params[:cookbook] + if params[:options].respond_to?(:has_key?) + variables :options => params[:options] + end + end + + unless params[:env].empty? + directory "#{sv_dir_name}/env" do + mode 0755 + action :create + end + + params[:env].each do |var, value| + file "#{sv_dir_name}/env/#{var}" do + content value + end + end + end + + if params[:finish_script] + template "#{sv_dir_name}/finish" do + owner params[:owner] + group params[:group] + mode 0755 + source "sv-#{params[:template_name]}-finish.erb" + cookbook params[:cookbook] if params[:cookbook] + if params[:options].respond_to?(:has_key?) + variables :options => params[:options] + end + end + end + + unless params[:control].empty? + directory "#{sv_dir_name}/control" do + owner params[:owner] + group params[:group] + mode 0755 + action :create + end + + params[:control].each do |signal| + template "#{sv_dir_name}/control/#{signal}" do + owner params[:owner] + group params[:group] + mode 0755 + source "sv-#{params[:template_name]}-control-#{signal}.erb" + cookbook params[:cookbook] if params[:cookbook] + if params[:options].respond_to?(:has_key?) + variables :options => params[:options] + end + end + end + end + + if params[:active_directory] == node[:runit][:service_dir] + link "/etc/init.d/#{params[:name]}" do + to node[:runit][:sv_bin] + end + end + + unless node[:platform] == "gentoo" + link service_dir_name do + to sv_dir_name + end + end + + ruby_block "supervise_#{params[:name]}_sleep" do + block do + Chef::Log.debug("Waiting until named pipe #{sv_dir_name}/supervise/ok exists.") + (1..10).each {|i| sleep 1 unless ::FileTest.pipe?("#{sv_dir_name}/supervise/ok") } + end + not_if { FileTest.pipe?("#{sv_dir_name}/supervise/ok") } + end + + service params[:name] do + control_cmd = node[:runit][:sv_bin] + if params[:owner] + control_cmd = "#{node[:runit][:chpst_bin]} -u #{params[:owner]} #{control_cmd}" + end + provider Chef::Provider::Service::Init + supports :restart => true, :status => true + start_command "#{control_cmd} #{params[:start_command]} #{service_dir_name}" + stop_command "#{control_cmd} #{params[:stop_command]} #{service_dir_name}" + restart_command "#{control_cmd} #{params[:restart_command]} #{service_dir_name}" + status_command "#{control_cmd} #{params[:status_command]} #{service_dir_name}" + if params[:run_restart] + subscribes :restart, resources(:template => "#{sv_dir_name}/run"), :delayed + end + action :nothing + end + +end diff --git a/cookbooks/runit/files/default/runit.seed b/cookbooks/runit/files/default/runit.seed new file mode 100644 index 0000000..6492920 --- /dev/null +++ b/cookbooks/runit/files/default/runit.seed @@ -0,0 +1 @@ +runit runit/signalinit boolean true diff --git a/cookbooks/runit/files/default/runsvdir b/cookbooks/runit/files/default/runsvdir new file mode 100644 index 0000000..e69de29 diff --git a/cookbooks/runit/files/ubuntu-6.10/runsvdir b/cookbooks/runit/files/ubuntu-6.10/runsvdir new file mode 100644 index 0000000..4040e34 --- /dev/null +++ b/cookbooks/runit/files/ubuntu-6.10/runsvdir @@ -0,0 +1,6 @@ +start on runlevel-2 +start on runlevel-3 +start on runlevel-4 +start on runlevel-5 +stop on shutdown +respawn /usr/sbin/runsvdir-start diff --git a/cookbooks/runit/files/ubuntu-7.04/runsvdir b/cookbooks/runit/files/ubuntu-7.04/runsvdir new file mode 100644 index 0000000..ee173c9 --- /dev/null +++ b/cookbooks/runit/files/ubuntu-7.04/runsvdir @@ -0,0 +1,7 @@ +start on runlevel 2 +start on runlevel 3 +start on runlevel 4 +start on runlevel 5 +stop on shutdown +respawn +exec /usr/sbin/runsvdir-start diff --git a/cookbooks/runit/files/ubuntu-7.10/runsvdir b/cookbooks/runit/files/ubuntu-7.10/runsvdir new file mode 100644 index 0000000..ee173c9 --- /dev/null +++ b/cookbooks/runit/files/ubuntu-7.10/runsvdir @@ -0,0 +1,7 @@ +start on runlevel 2 +start on runlevel 3 +start on runlevel 4 +start on runlevel 5 +stop on shutdown +respawn +exec /usr/sbin/runsvdir-start diff --git a/cookbooks/runit/files/ubuntu-8.04/runsvdir b/cookbooks/runit/files/ubuntu-8.04/runsvdir new file mode 100644 index 0000000..ee173c9 --- /dev/null +++ b/cookbooks/runit/files/ubuntu-8.04/runsvdir @@ -0,0 +1,7 @@ +start on runlevel 2 +start on runlevel 3 +start on runlevel 4 +start on runlevel 5 +stop on shutdown +respawn +exec /usr/sbin/runsvdir-start diff --git a/cookbooks/runit/metadata.json b/cookbooks/runit/metadata.json new file mode 100644 index 0000000..eb52ee5 --- /dev/null +++ b/cookbooks/runit/metadata.json @@ -0,0 +1,115 @@ +{ + "platforms": { + "debian": [ + + ], + "gentoo": [ + + ], + "ubuntu": [ + + ] + }, + "maintainer": "Opscode, Inc.", + "replacing": { + + }, + "license": "Apache 2.0", + "maintainer_email": "cookbooks@opscode.com", + "groupings": { + + }, + "recommendations": { + + }, + "description": "Installs runit and provides runit_service definition", + "version": "0.14.1", + "suggestions": { + + }, + "attributes": { + "runit/sv_dir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/etc/sv", + "type": "string", + "recipes": [ + + ], + "description": "Location of services managed by runit", + "display_name": "Runit sv directory" + }, + "runit/service_dir": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/etc/service", + "type": "string", + "recipes": [ + + ], + "description": "Symlinks to services managed under runit", + "display_name": "Runit service directory" + }, + "runit": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "type": "hash", + "recipes": [ + + ], + "description": "Hash of runit attributes", + "display_name": "Runit" + }, + "runit/sv_bin": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/usr/bin/sv", + "type": "string", + "recipes": [ + + ], + "description": "Location of the sv binary", + "display_name": "Runit sv bin" + }, + "runit/chpst_bin": { + "required": "optional", + "calculated": false, + "choice": [ + + ], + "default": "/usr/bin/chpst", + "type": "string", + "recipes": [ + + ], + "description": "Location of the chpst binary", + "display_name": "Runit chpst bin" + } + }, + "conflicting": { + + }, + "name": "runit", + "recipes": { + "runit": "Installs and configures runit" + }, + "dependencies": { + + }, + "long_description": "", + "providing": { + + } +} \ No newline at end of file diff --git a/cookbooks/runit/metadata.rb b/cookbooks/runit/metadata.rb new file mode 100644 index 0000000..29dc397 --- /dev/null +++ b/cookbooks/runit/metadata.rb @@ -0,0 +1,37 @@ +maintainer "Opscode, Inc." +maintainer_email "cookbooks@opscode.com" +license "Apache 2.0" +description "Installs runit and provides runit_service definition" +version "0.14.1" + +recipe "runit", "Installs and configures runit" + +%w{ ubuntu debian gentoo }.each do |os| + supports os +end + +attribute "runit", + :display_name => "Runit", + :description => "Hash of runit attributes", + :type => "hash" + +attribute "runit/sv_bin", + :display_name => "Runit sv bin", + :description => "Location of the sv binary", + :default => "/usr/bin/sv" + +attribute "runit/chpst_bin", + :display_name => "Runit chpst bin", + :description => "Location of the chpst binary", + :default => "/usr/bin/chpst" + +attribute "runit/service_dir", + :display_name => "Runit service directory", + :description => "Symlinks to services managed under runit", + :default => "/etc/service" + +attribute "runit/sv_dir", + :display_name => "Runit sv directory", + :description => "Location of services managed by runit", + :default => "/etc/sv" + diff --git a/cookbooks/runit/recipes/default.rb b/cookbooks/runit/recipes/default.rb new file mode 100644 index 0000000..7f80c15 --- /dev/null +++ b/cookbooks/runit/recipes/default.rb @@ -0,0 +1,72 @@ +# +# Cookbook Name:: runit +# Recipe:: default +# +# Copyright 2008-2010, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +case node[:platform] +when "debian","ubuntu", "gentoo" + execute "start-runsvdir" do + command value_for_platform( + "debian" => { "default" => "runsvdir-start" }, + "ubuntu" => { "default" => "start runsvdir" }, + "gentoo" => { "default" => "/etc/init.d/runit-start start" } + ) + action :nothing + end + + execute "runit-hup-init" do + command "telinit q" + only_if "grep ^SV /etc/inittab" + action :nothing + end + + if platform? "gentoo" + template "/etc/init.d/runit-start" do + source "runit-start.sh.erb" + mode 0755 + end + end + + package "runit" do + action :install + if platform?("ubuntu", "debian") + response_file "runit.seed" + end + notifies value_for_platform( + "debian" => { "4.0" => :run, "default" => :nothing }, + "ubuntu" => { + "default" => :nothing, + "9.04" => :run, + "8.10" => :run, + "8.04" => :run }, + "gentoo" => { "default" => :run } + ), resources(:execute => "start-runsvdir"), :immediately + notifies value_for_platform( + "debian" => { "squeeze/sid" => :run, "default" => :nothing }, + "default" => :nothing + ), resources(:execute => "runit-hup-init"), :immediately + end + + if node[:platform] =~ /ubuntu/i && node[:platform_version].to_f <= 8.04 + cookbook_file "/etc/event.d/runsvdir" do + source "runsvdir" + mode 0644 + notifies :run, resources(:execute => "start-runsvdir"), :immediately + only_if do File.directory?("/etc/event.d") end + end + end +end diff --git a/cookbooks/runit/templates/gentoo/runit-start.sh.erb b/cookbooks/runit/templates/gentoo/runit-start.sh.erb new file mode 100644 index 0000000..a6c11b3 --- /dev/null +++ b/cookbooks/runit/templates/gentoo/runit-start.sh.erb @@ -0,0 +1,32 @@ +#!/sbin/runscript +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +depend() { + after net +} + +start() { + ebegin "Starting runsvdir" + start-stop-daemon --start --exec /usr/bin/runsvdir \ + --background --make-pidfile \ + --pidfile /var/run/runsvdir.pid -- <%= node.runit.sv_dir %> + eend $? +} + +stop() { + local ret1 ret2 + ebegin "Stopping runsvdir" + start-stop-daemon --stop --oknodo --pidfile /var/run/runsvdir.pid + ret1=$? + eend ${ret1} + + ebegin "Stopping services and logging" + sv shutdown -w 10 <%= node.runit.sv_dir %>/* + ret2=$? + eend ${ret2} + + return $((ret1+ret2)) +} + diff --git a/cookbooks/vpc/README.rdoc b/cookbooks/vpc/README.rdoc new file mode 100644 index 0000000..ab707a3 --- /dev/null +++ b/cookbooks/vpc/README.rdoc @@ -0,0 +1,9 @@ += DESCRIPTION: +Misc cookbooks to help setup VPC type environments. + += REQUIREMENTS: + += ATTRIBUTES: + += USAGE: + diff --git a/cookbooks/vpc/attributes/apt.rb b/cookbooks/vpc/attributes/apt.rb new file mode 100644 index 0000000..2277f80 --- /dev/null +++ b/cookbooks/vpc/attributes/apt.rb @@ -0,0 +1 @@ +default[:apt][:distro] = "maverick" diff --git a/cookbooks/vpc/attributes/dev_setup.rb b/cookbooks/vpc/attributes/dev_setup.rb new file mode 100644 index 0000000..a715a9a --- /dev/null +++ b/cookbooks/vpc/attributes/dev_setup.rb @@ -0,0 +1,3 @@ +default[:vpc][:dev_setup][:user] = "stacker" +default[:vpc][:dev_setup][:group] = "stacker" +default[:vpc][:dev_setup][:dir] = "/home/stacker" diff --git a/cookbooks/vpc/attributes/libvirt.rb b/cookbooks/vpc/attributes/libvirt.rb new file mode 100644 index 0000000..2eb29bd --- /dev/null +++ b/cookbooks/vpc/attributes/libvirt.rb @@ -0,0 +1 @@ +default[:libvirt][:version] = "0.8.3-1ubuntu14" diff --git a/cookbooks/vpc/files/default/nova-compute.conf b/cookbooks/vpc/files/default/nova-compute.conf new file mode 100644 index 0000000..eeef2d7 --- /dev/null +++ b/cookbooks/vpc/files/default/nova-compute.conf @@ -0,0 +1,16 @@ +description "Nova compute worker" +author "Chef " + +start on (local-filesystems and net-device-up IFACE!=lo) +stop on runlevel [016] + +respawn + +chdir /var/run + +pre-start script + mkdir -p /var/run/nova + chown nova:root /var/run/nova +end script + +exec su -c "nova-compute --flagfile=/etc/nova/nova.conf" nova diff --git a/cookbooks/vpc/files/default/qemu.conf b/cookbooks/vpc/files/default/qemu.conf new file mode 100644 index 0000000..03a84db --- /dev/null +++ b/cookbooks/vpc/files/default/qemu.conf @@ -0,0 +1,201 @@ +# Master configuration file for the QEMU driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# VNC is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +# vnc_listen = "0.0.0.0" + + +# Enable use of TLS encryption on the VNC server. This requires +# a VNC client which supports the VeNCrypt protocol extension. +# Examples include vinagre, virt-viewer, virt-manager and vencrypt +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +# vnc_tls = 1 + + +# Use of TLS requires that x509 certificates be issued. The +# default it to keep them in /etc/pki/libvirt-vnc. This directory +# must contain +# +# ca-cert.pem - the CA master certificate +# server-cert.pem - the server certificate signed with ca-cert.pem +# server-key.pem - the server private key +# +# This option allows the certificate directory to be changed +# +# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# and encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem +# +# vnc_tls_x509_verify = 1 + + +# The default VNC password. Only 8 letters are significant for +# VNC passwords. This parameter is only used if the per-domain +# XML config does not already provide a password. To allow +# access without passwords, leave this commented out. An empty +# string will still enable passwords, but be rejected by QEMU +# effectively preventing any use of VNC. Obviously change this +# example here before you set this +# +# vnc_password = "XYZ12345" + + +# Enable use of SASL encryption on the VNC server. This requires +# a VNC client which supports the SASL protocol extension. +# Examples include vinagre, virt-viewer and virt-manager +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +# vnc_sasl = 1 + + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +# vnc_sasl_dir = "/some/directory/sasl2" + + + + +# The default security driver is SELinux. If SELinux is disabled +# on the host, then the security driver will automatically disable +# itself. If you wish to disable QEMU SELinux security driver while +# leaving SELinux enabled for the host in general, then set this +# to 'none' instead +# +security_driver = "none" + + +# The user ID for QEMU processes run by the system instance +#user = "root" + +# The group ID for QEMU processes run by the system instance +#group = "root" + +# Whether libvirt should dynamically change file ownership +# to match the configured user/group above. Defaults to 1. +# Set to 0 to disable file ownership changes. +#dynamic_ownership = 1 + + +# What cgroup controllers to make use of with QEMU guests +# +# - 'cpu' - use for schedular tunables +# - 'devices' - use for device whitelisting +# +# NB, even if configured here, they won't be used unless +# the adminsitrator has mounted cgroups. eg +# +# mkdir /dev/cgroup +# mount -t cgroup -o devices,cpu none /dev/cgroup +# +# They can be mounted anywhere, and different controlers +# can be mounted in different locations. libvirt will detect +# where they are located. +# +# cgroup_controllers = [ "cpu", "devices" ] + +# This is the basic set of devices allowed / required by +# all virtual machines. +# +# As well as this, any configured block backed disks, +# all sound device, and all PTY devices are allowed. +# +# This will only need setting if newer QEMU suddenly +# wants some device we don't already know a bout. +# +#cgroup_device_acl = [ +# "/dev/null", "/dev/full", "/dev/zero", +# "/dev/random", "/dev/urandom", +# "/dev/ptmx", "/dev/kvm", "/dev/kqemu", +# "/dev/rtc", "/dev/hpet", "/dev/net/tun", +#] + +# The default format for Qemu/KVM guest save images is raw; that is, the +# memory from the domain is dumped out directly to a file. If you have +# guests with a large amount of memory, however, this can take up quite +# a bit of space. If you would like to compress the images while they +# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" +# for save_image_format. Note that this means you slow down the process of +# saving a domain in order to save disk space; the list above is in descending +# order by performance and ascending order by compression ratio. +# +# save_image_format = "raw" + +# If provided by the host and a hugetlbfs mount point is configured, +# a guest may request huge page backing. When this mount point is +# unspecified here, determination of a host mount point in /proc/mounts +# will be attempted. Specifying an explicit mount overrides detection +# of the same in /proc/mounts. Setting the mount point to "" will +# disable guest hugepage backing. +# +# NB, within this mount point, guests will create memory backing files +# in a location of $MOUNTPOINT/libvirt/qemu + +# hugetlbfs_mount = "/dev/hugepages" + +# mac_filter enables MAC addressed based filtering on bridge ports. +# This currently requires ebtables to be installed. +# +# mac_filter = 1 + +# By default, PCI devices below non-ACS switch are not allowed to be assigned +# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to +# be assigned to guests. +# +# relaxed_acs_check = 1 + + +# QEMU implements an extension for providing audio over a VNC connection, +# though if your VNC client does not support it, your only chance for getting +# sound output is through regular audio backends. By default, libvirt will +# disable all QEMU sound backends if using VNC, since they can cause +# permissions issues. Enabling this option will make libvirtd honor the +# QEMU_AUDIO_DRV environment variable when using VNC. +# +# vnc_allow_host_audio = 0 + +# If clear_emulator_capabilities is enabled, libvirt will drop all +# privileged capabilities of the QEmu/KVM emulator. This is enabled by +# default. +# +# Warning: Disabling this option means that a compromised guest can +# exploit the privileges and possibly do damage to the host. +# +# clear_emulator_capabilities = 1 + + + +# If allow_disk_format_probing is enabled, libvirt will probe disk +# images to attempt to identify their format, when not otherwise +# specified in the XML. This is disabled by default. +# +# WARNING: Enabling probing is a security hole in almost all +# deployments. It is strongly recommended that users update their +# guest XML elements to include +# elements instead of enabling this option. +# allow_disk_format_probing = 1 diff --git a/cookbooks/vpc/metadata.rb b/cookbooks/vpc/metadata.rb new file mode 100644 index 0000000..0dbad45 --- /dev/null +++ b/cookbooks/vpc/metadata.rb @@ -0,0 +1,8 @@ +maintainer "Rackspace" +maintainer_email "devnull@rackspace.com" +license "Apache 2.0" +description "VPC cookbooks" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "0.1" + +depends "apt" diff --git a/cookbooks/vpc/recipes/apt.rb b/cookbooks/vpc/recipes/apt.rb new file mode 100644 index 0000000..3b86f3f --- /dev/null +++ b/cookbooks/vpc/recipes/apt.rb @@ -0,0 +1,29 @@ +# +# Cookbook Name:: Rackspace +# Recipe:: packages +# +# Copyright 2011, Rackspace +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe 'apt' + +apt_repository "openstack" do + key "2A2356C9" + keyserver "keyserver.ubuntu.com" + uri "http://ppa.launchpad.net/nova-core/trunk/ubuntu" + distribution node[:apt][:distro] + components(["main"]) + action :add +end diff --git a/cookbooks/vpc/recipes/default.rb b/cookbooks/vpc/recipes/default.rb new file mode 100644 index 0000000..142e52a --- /dev/null +++ b/cookbooks/vpc/recipes/default.rb @@ -0,0 +1,18 @@ +# +# Cookbook Name:: rackspace +# Recipe:: default +# +# Copyright 2011, Rackspace +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# diff --git a/cookbooks/vpc/recipes/dev_setup.rb b/cookbooks/vpc/recipes/dev_setup.rb new file mode 100644 index 0000000..87ef2da --- /dev/null +++ b/cookbooks/vpc/recipes/dev_setup.rb @@ -0,0 +1,47 @@ +# +# Cookbook Name:: rackspace +# Recipe:: def_setup +# +# Copyright 2011, Rackspace +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +"bzr python-virtualenv python-dev swig python-m2crypto pep8".each(" ") do |pkg| + package pkg.chomp(" ") +end + +group node[:vpc][:dev_setup][:group] do + action :create + group_name node[:vpc][:dev_setup][:group] +end + +user node[:vpc][:dev_setup][:user] do + group node[:vpc][:dev_setup][:group] + comment "Nova User" + home node[:vpc][:dev_setup][:dir] + shell "/bin/bash" + not_if "grep #{node[:vpc][:dev_setup][:user]} /etc/passwd" +end + +directory node[:vpc][:dev_setup][:dir] do + owner node[:vpc][:dev_setup][:user] + group node[:vpc][:dev_setup][:group] + mode "0700" + action :create +end + +execute "bzr checkout lp:nova #{node[:vpc][:dev_setup][:dir]}/nova" do + user node[:vpc][:dev_setup][:user] + not_if do File.exists?("#{node[:vpc][:dev_setup][:dir]}/nova") end +end diff --git a/cookbooks/vpc/recipes/nova_compute.rb b/cookbooks/vpc/recipes/nova_compute.rb new file mode 100644 index 0000000..f7451be --- /dev/null +++ b/cookbooks/vpc/recipes/nova_compute.rb @@ -0,0 +1,26 @@ +# NOTE: I manually reimplented the nova-compute startup here so that it +# works on stock cloud servers. This works around the fact that stock +# Ubuntu Cloud Servers images don't have the 'nbd' (network block device) +# kernel module. + +include_recipe "nova::common" + +package "nova-compute" do + options "--force-yes" + action :install +end + +cookbook_file "/etc/init/nova-compute.conf" do + source "nova-compute.conf" + mode "0644" +end + +service "nova-compute" do + restart_command "restart nova-compute" + stop_command "stop nova-compute" + start_command "start nova-compute" + status_command "status nova-compute | cut -d' ' -f2 | cut -d'/' -f1 | grep start" + supports :status => true, :restart => true + action :start + subscribes :restart, resources(:template => "/etc/nova/nova.conf") +end diff --git a/cookbooks/vpc/recipes/nova_compute_setup.rb b/cookbooks/vpc/recipes/nova_compute_setup.rb new file mode 100644 index 0000000..f17a2a8 --- /dev/null +++ b/cookbooks/vpc/recipes/nova_compute_setup.rb @@ -0,0 +1,33 @@ +# This recipe contains setup steps required for Nova Compute to work +# correctly on our Stock Ubuntu Cloud Servers images + +# NOTE: (dprince) Inside of our VPC environments we already have a virbr0 +# bridge interface so we can use that + +#package "bridge-utils" +#execute "brctl addbr br100" do + #not_if "brctl show | grep br100" +#end + +directory "/dev/cgroup" do + owner "root" + group "root" + mode "0755" + action :create +end + +execute "mount -t cgroup none /dev/cgroup -o devices" do + not_if "mount | grep cgroup" +end + +execute "apt-get -y --force-yes install libvirt0=#{node[:libvirt][:version]} libvirt-bin=#{node[:libvirt][:version]} python-libvirt=#{node[:libvirt][:version]}" do + not_if "dpkg -l libvirt-bin | grep #{node[:libvirt][:version]}" +end + +service "libvirt-bin" + +cookbook_file "/etc/libvirt/qemu.conf" do + source "qemu.conf" + mode "0644" + notifies :restart, resources(:service => "libvirt-bin") +end diff --git a/roles/README b/roles/README new file mode 100644 index 0000000..eb93964 --- /dev/null +++ b/roles/README @@ -0,0 +1,4 @@ +Create roles here, in either .rb or .json files. To install roles on the +server, use knife. We provide an example role here. + +knife role from file roles/base_example.rb diff --git a/roles/glance-api.rb b/roles/glance-api.rb new file mode 100644 index 0000000..5846574 --- /dev/null +++ b/roles/glance-api.rb @@ -0,0 +1,6 @@ +name "glance-api" + +run_list( + "recipe[vpc::apt]", + "recipe[glance::api]" +) diff --git a/roles/glance-registry.rb b/roles/glance-registry.rb new file mode 100644 index 0000000..a7f2951 --- /dev/null +++ b/roles/glance-registry.rb @@ -0,0 +1,6 @@ +name "glance-registry" + +run_list( + "recipe[vpc::apt]", + "recipe[glance::registry]" +) diff --git a/roles/mysql-server.rb b/roles/mysql-server.rb new file mode 100644 index 0000000..4264560 --- /dev/null +++ b/roles/mysql-server.rb @@ -0,0 +1,9 @@ +name "mysql-server" +description "MySQL server" + +run_list( + "recipe[build-essential]", + "recipe[ruby]", + "recipe[mysql::server]", + "recipe[nova::mysql]" +) diff --git a/roles/nova-api.rb b/roles/nova-api.rb new file mode 100644 index 0000000..0e58375 --- /dev/null +++ b/roles/nova-api.rb @@ -0,0 +1,6 @@ +name "nova-api" + +run_list( + "role[nova-base]", + "recipe[nova::api]" +) diff --git a/roles/nova-base.rb b/roles/nova-base.rb new file mode 100644 index 0000000..d0b5a6a --- /dev/null +++ b/roles/nova-base.rb @@ -0,0 +1,27 @@ +name "nova-base" + +run_list( + "recipe[vpc::apt]", + "recipe[nova::common]" +) + +default_attributes( + "nova" => { + "public_interface" => "tun0", + "libvirt_type" => "qemu", + "creds" => { + "user" => "stacker", + "group" => "stacker", + "dir" => "/home/stacker" + }, + "network_manager" => "nova.network.manager.FlatDHCPManager", + "default_project" => "admin", + "glance_host" => "glance1", + "flat_interface" => "tap0", + "flat_network_bridge" => "xenbr0", + "flat_network_dhcp_start" => "172.19.1.2", + "network" => "172.19.1.0/24 1 256", + "image_service" => "nova.image.glance.GlanceImageService", + "images" => ["http://images.ansolabs.com/tty.tgz"] + } +) diff --git a/roles/nova-compute.rb b/roles/nova-compute.rb new file mode 100644 index 0000000..48c8bc3 --- /dev/null +++ b/roles/nova-compute.rb @@ -0,0 +1,6 @@ +name "nova-compute" + +run_list( + "role[nova-base]", + "recipe[vpc::nova_compute]" +) diff --git a/roles/nova-network.rb b/roles/nova-network.rb new file mode 100644 index 0000000..8bcf083 --- /dev/null +++ b/roles/nova-network.rb @@ -0,0 +1,6 @@ +name "nova-network" + +run_list( + "role[nova-base]", + "recipe[nova::network]" +) diff --git a/roles/nova-objectstore.rb b/roles/nova-objectstore.rb new file mode 100644 index 0000000..3e8d488 --- /dev/null +++ b/roles/nova-objectstore.rb @@ -0,0 +1,6 @@ +name "nova-objectstore" + +run_list( + "role[nova-base]", + "recipe[nova::objectstore]" +) diff --git a/roles/nova-scheduler.rb b/roles/nova-scheduler.rb new file mode 100644 index 0000000..67805f2 --- /dev/null +++ b/roles/nova-scheduler.rb @@ -0,0 +1,6 @@ +name "nova-scheduler" + +run_list( + "role[nova-base]", + "recipe[nova::scheduler]" +) diff --git a/roles/nova-volume.rb b/roles/nova-volume.rb new file mode 100644 index 0000000..d98835f --- /dev/null +++ b/roles/nova-volume.rb @@ -0,0 +1,6 @@ +name "nova-volume" + +run_list( + "role[nova-base]", + "recipe[nova::volume]" +) diff --git a/roles/rabbitmq-server.rb b/roles/rabbitmq-server.rb new file mode 100644 index 0000000..9e2f8cb --- /dev/null +++ b/roles/rabbitmq-server.rb @@ -0,0 +1,6 @@ +name "rabbitmq-server" + +run_list( + "recipe[rabbitmq]", + "recipe[nova::rabbit]" +)