#!/bin/bash # # functions - puppet-openstack-integration specific functions # # Install external Puppet modules with r10k # Uses the following variables: # # - ``SCRIPT_DIR`` must be set to script path # - ``GEM_BIN_DIR`` must be set to Gem bin directory install_external() { PUPPETFILE=${SCRIPT_DIR}/Puppetfile1 r10k puppetfile install -v } # Install Puppet OpenStack modules with zuul-cloner # Uses the following variables: # # - ``PUPPETFILE_DIR`` must be set to Puppet modules directory # - ``SCRIPT_DIR`` must be set to script path # - ``ZUUL_REF`` must be set to Zuul ref. Fallback to 'None'. # - ``ZUUL_BRANCH`` must be set to Zuul branch. Fallback to 'master'. # - ``ZUUL_URL`` must be set to Zuul URL install_openstack() { cat > clonemap.yaml <$HIERA_CONFIG --- :backends: - yaml :yaml: :datadir: "${SCRIPT_DIR}/hiera" :hierarchy: - "%{::operatingsystem}" - "%{::osfamily}" - common EOF } is_fedora() { if [ -f /etc/os-release ]; then source /etc/os-release test "$ID" = "fedora" -o "$ID" = "centos" else return 1 fi } uses_debs() { # check if apt-get is installed, valid for debian based type "apt-get" 2>/dev/null } print_header() { if [ -n "$(set | grep xtrace)" ]; then set +x local enable_xtrace='yes' fi local msg=$1 printf '%.0s-' {1..80}; echo printf '| %-76s |\n' "${msg}" printf '%.0s-' {1..80}; echo if [ -n "${enable_xtrace}" ]; then set -x fi } install_puppet() { if uses_debs; then print_header 'Setup (Debian based)' # Puppetlabs packaging: # - trusty: puppet3 and puppet4 # - xenial: puppet4 only if [[ ${DISTRO} == "trusty" ]] || [[ ${DISTRO} == "xenial" && ${PUPPET_MAJ_VERSION} == 4 ]]; then if dpkg -l $PUPPET_RELEASE_FILE >/dev/null 2>&1; then $SUDO apt-get purge -y $PUPPET_RELEASE_FILE fi $SUDO rm -f /tmp/puppet.deb wget http://apt.puppetlabs.com/${PUPPET_RELEASE_FILE}-${DISTRO}.deb -O /tmp/puppet.deb $SUDO dpkg -i /tmp/puppet.deb # TODO(emilien): figure what installed /etc/default/puppet on the xenial nodepool image # We have no problem on Trusty but on Xenial we need to remove /etc/default/puppet before # trying to deploy puppet-agent from puppetlabs.com. $SUDO rm -rf /etc/default/puppet fi $SUDO apt-get update $SUDO apt-get install -y ${PUPPET_PKG} elif is_fedora; then print_header 'Setup (RedHat based)' if rpm --quiet -q $PUPPET_RELEASE_FILE; then $SUDO rpm -e $PUPPET_RELEASE_FILE fi # EPEL does not work fine with RDO, we need to make sure EPEL is really disabled if rpm --quiet -q epel-release; then $SUDO rpm -e epel-release fi $SUDO rm -f /tmp/puppet.rpm wget http://yum.puppetlabs.com/${PUPPET_RELEASE_FILE}-el-7.noarch.rpm -O /tmp/puppet.rpm $SUDO rpm -ivh /tmp/puppet.rpm $SUDO yum install -y ${PUPPET_PKG} fi } function run_puppet() { local manifest=$1 $SUDO $PUPPET_FULL_PATH apply $PUPPET_ARGS fixtures/${manifest}.pp local res=$? return $res } function catch_selinux_alerts() { if is_fedora; then $SUDO sealert -a /var/log/audit/audit.log if $SUDO grep -iq 'type=AVC' /var/log/audit/audit.log; then echo "AVC detected in /var/log/audit/audit.log" # TODO: figure why latest rabbitmq deployed with SSL tries to write in SSL pem file. # https://bugzilla.redhat.com/show_bug.cgi?id=1341738 if $SUDO grep -iqE 'denied.*system_r:rabbitmq_t' /var/log/audit/audit.log; then echo "non-critical RabbitMQ AVC, ignoring it now." else echo "Please file a bug on https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20OpenStack&component=openstack-selinux showing sealert output." exit 1 fi else echo 'No AVC detected in /var/log/audit/audit.log' fi fi }