From e0139b07653daa94aacbfc048cc152a21e4cd3e9 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 13 Jun 2023 12:15:19 +0200 Subject: [PATCH 1/4] BAckups: Fix db backups DB backup dir clashed with statistics script storage location, and also some permission errors. diff --git a/templates/script/backupdb.erb.sh b/templates/script/backupdb.erb.sh index b35acbc..1eb7992 100644 --- a/templates/script/backupdb.erb.sh +++ b/templates/script/backupdb.erb.sh @@ -6,11 +6,16 @@ sleep $((16#$(ip a | grep "link/ether" | head -1 | awk -F ':' '{print $6}' | awk number_of_full_to_keep="<%= @full_backup_retention %>" backup="${1}" +if [[ -z ${backup} ]]; then + backup="backup1.$(hostname -d)" +fi if ! [[ ${backup} =~ backup1.*sunet.se$ ]]; then echo "Usage: ${0} " echo "Example: ${0} backup1.sunet.drive.sunet.se" fi backup_dir="/opt/backups" +backup_dir_long="${backup_dir}/backups" +mkdir -p ${backup_dir} bucket="db-backups" mirror="<%= @customer %>-<%= @environment %>-mirror" if [[ ${mirror} =~ common-(test|prod)-mirror ]]; then @@ -23,11 +28,8 @@ ssh ${backup} "sudo /home/script/bin/backup_db.sh" echo "Cleaning up old backups for ${backup}" ssh ${backup} "sudo /home/script/bin/purge_backups.sh /opt/mariadb_backup/backups/" echo "Copying backups here" -mkdir -p ${backup_dir} -scp script@${backup}:/opt/mariadb_backup/backups/$(date +%Y/%m/%d)/*.gz ${backup_dir} +scp script@${backup}:/opt/mariadb_backup/backups/$(date +%Y/%m/%d)/*.gz ${backup_dir_long} echo "Copying backups to remote bucket" rclone mkdir ${mirror}:${bucket} duplicity --full-if-older-than 1M --tempdir /mnt --archive-dir /mnt --no-encryption ${backup_dir} rclone://${mirror}:/${bucket} duplicity remove-all-but-n-full ${number_of_full_to_keep} --tempdir /mnt --archive-dir /mnt --force rclone://${mirror}:/${bucket} -echo "cleaning up" -rm -r ${backup_dir} diff --git a/templates/scriptreceiver/backup_db.erb.sh b/templates/scriptreceiver/backup_db.erb.sh index 025a338..3e15f25 100644 --- a/templates/scriptreceiver/backup_db.erb.sh +++ b/templates/scriptreceiver/backup_db.erb.sh @@ -11,5 +11,7 @@ else fi docker exec ${container} /do_backup.sh ${customer} +chown root:script /opt/mariadb_backup/ +chmod 750 /opt/mariadb_backup/ chmod 755 ${backupdir} chown -R script:root ${backupdir} --- templates/script/backupdb.erb.sh | 10 ++++++---- templates/scriptreceiver/backup_db.erb.sh | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/templates/script/backupdb.erb.sh b/templates/script/backupdb.erb.sh index b35acbc..1eb7992 100644 --- a/templates/script/backupdb.erb.sh +++ b/templates/script/backupdb.erb.sh @@ -6,11 +6,16 @@ sleep $((16#$(ip a | grep "link/ether" | head -1 | awk -F ':' '{print $6}' | awk number_of_full_to_keep="<%= @full_backup_retention %>" backup="${1}" +if [[ -z ${backup} ]]; then + backup="backup1.$(hostname -d)" +fi if ! [[ ${backup} =~ backup1.*sunet.se$ ]]; then echo "Usage: ${0} " echo "Example: ${0} backup1.sunet.drive.sunet.se" fi backup_dir="/opt/backups" +backup_dir_long="${backup_dir}/backups" +mkdir -p ${backup_dir} bucket="db-backups" mirror="<%= @customer %>-<%= @environment %>-mirror" if [[ ${mirror} =~ common-(test|prod)-mirror ]]; then @@ -23,11 +28,8 @@ ssh ${backup} "sudo /home/script/bin/backup_db.sh" echo "Cleaning up old backups for ${backup}" ssh ${backup} "sudo /home/script/bin/purge_backups.sh /opt/mariadb_backup/backups/" echo "Copying backups here" -mkdir -p ${backup_dir} -scp script@${backup}:/opt/mariadb_backup/backups/$(date +%Y/%m/%d)/*.gz ${backup_dir} +scp script@${backup}:/opt/mariadb_backup/backups/$(date +%Y/%m/%d)/*.gz ${backup_dir_long} echo "Copying backups to remote bucket" rclone mkdir ${mirror}:${bucket} duplicity --full-if-older-than 1M --tempdir /mnt --archive-dir /mnt --no-encryption ${backup_dir} rclone://${mirror}:/${bucket} duplicity remove-all-but-n-full ${number_of_full_to_keep} --tempdir /mnt --archive-dir /mnt --force rclone://${mirror}:/${bucket} -echo "cleaning up" -rm -r ${backup_dir} diff --git a/templates/scriptreceiver/backup_db.erb.sh b/templates/scriptreceiver/backup_db.erb.sh index 025a338..3e15f25 100644 --- a/templates/scriptreceiver/backup_db.erb.sh +++ b/templates/scriptreceiver/backup_db.erb.sh @@ -11,5 +11,7 @@ else fi docker exec ${container} /do_backup.sh ${customer} +chown root:script /opt/mariadb_backup/ +chmod 750 /opt/mariadb_backup/ chmod 755 ${backupdir} chown -R script:root ${backupdir} From ff3a5c143c6a0933a01382af9eed12cd5f359f92 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 13 Jun 2023 12:16:55 +0200 Subject: [PATCH 2/4] Pass on vaiables --- manifests/db_type.pp | 14 ++++++++------ manifests/mariadb.pp | 9 +++++---- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/manifests/db_type.pp b/manifests/db_type.pp index 6448878..7c953b4 100644 --- a/manifests/db_type.pp +++ b/manifests/db_type.pp @@ -4,7 +4,9 @@ define sunetdrive::db_type( $bootstrap=undef, $location=undef, $override_config = undef, - $override_compose = undef) + $override_compose = undef, + $replicate_rewrite_db = undef, +) { # Config from group.yaml @@ -27,8 +29,8 @@ define sunetdrive::db_type( $mysql_user_password = safe_hiera('mysql_user_password') $mariadb_dir = '/etc/mariadb' $mycnf_path = 'sunetdrive/mariadb/my.cnf.erb' - $server_id = 1000 + Integer($facts['hostname'][-1]) - ensure_resource('file',"${mariadb_dir}", { ensure => directory, recurse => true } ) + $server_id = 1000 + Integer($facts['networking']['hostname'][-1]) + ensure_resource('file',$mariadb_dir, { ensure => directory, recurse => true } ) $dirs = ['datadir', 'init', 'conf', 'backups', 'scripts' ] $dirs.each |$dir| { ensure_resource('file',"${mariadb_dir}/${dir}", { ensure => directory, recurse => true } ) @@ -90,7 +92,7 @@ define sunetdrive::db_type( mode => '0744', } sunet::scriptherder::cronjob { 'purge_binlogs': - cmd => "/usr/local/bin/purge-binlogs", + cmd => '/usr/local/bin/purge-binlogs', hour => '6', minute => '0', ok_criteria => ['exit_status=0','max_age=2d'], @@ -109,14 +111,14 @@ define sunetdrive::db_type( content => template('sunetdrive/mariadb/status-test.erb'), mode => '0744', } - file { "/etc/sudoers.d/99-size-test": + file { '/etc/sudoers.d/99-size-test': ensure => file, content => "script ALL=(root) NOPASSWD: /usr/local/bin/size-test\n", mode => '0440', owner => 'root', group => 'root', } - file { "/etc/sudoers.d/99-status-test": + file { '/etc/sudoers.d/99-status-test': ensure => file, content => "script ALL=(root) NOPASSWD: /usr/local/bin/status-test\n", mode => '0440', diff --git a/manifests/mariadb.pp b/manifests/mariadb.pp index 66f3522..8725c8a 100644 --- a/manifests/mariadb.pp +++ b/manifests/mariadb.pp @@ -8,12 +8,13 @@ class sunetdrive::mariadb ( $replicate_rewrite_db = undef, ) { - $quorum_id = $facts['facts['networking']['fqdn']'] + $quorum_id = $facts['networking']['fqdn'] $quorum_password = safe_hiera('quorum_password') $db = sunetdrive::db_type { 'base_db': - bootstrap => $bootstrap, - tag_mariadb => $tag_mariadb, - location => $location, + bootstrap => $bootstrap, + tag_mariadb => $tag_mariadb, + location => $location, + replicate_rewrite_db => $replicate_rewrite_db, } file { '/etc/quorum.conf': ensure => file, From 1e23d134f1551c5c86c4300e4e3c2b24d1247abf Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 13 Jun 2023 14:15:53 +0200 Subject: [PATCH 3/4] Add fqdn to PS1 --- manifests/scriptreceiver.pp | 7 +- templates/scriptreceiver/baschrc.erb | 99 ++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 4 deletions(-) create mode 100644 templates/scriptreceiver/baschrc.erb diff --git a/manifests/scriptreceiver.pp b/manifests/scriptreceiver.pp index cf9ece4..c50c566 100644 --- a/manifests/scriptreceiver.pp +++ b/manifests/scriptreceiver.pp @@ -23,7 +23,6 @@ class sunetdrive::scriptreceiver() owner => 'script', group => 'script', } - $kano_shell = ['89.46.21.246','2001:6b0:6c::1bc'] sunet::misc::ufw_allow { 'script_port': from => $script_ipv4 + $script_ipv6 + $kano_shell, @@ -49,10 +48,10 @@ class sunetdrive::scriptreceiver() owner => 'root', group => 'root', } - file { '/usr/local/bin/safer_reboot': + file { '/root/.bashrc': ensure => file, - content => template('sunetdrive/scriptreceiver/safer_reboot.erb'), - mode => '0740', + content => template('sunetdrive/scriptreceiver/baschrc.erb'), + mode => '0644', owner => 'root', group => 'root', } diff --git a/templates/scriptreceiver/baschrc.erb b/templates/scriptreceiver/baschrc.erb new file mode 100644 index 0000000..7f40ab6 --- /dev/null +++ b/templates/scriptreceiver/baschrc.erb @@ -0,0 +1,99 @@ +# THIS FILE IS MANAGED BY PUPPET +# ~/.bashrc: executed by bash(1) for non-login shells. +# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) +# for examples + +# If not running interactively, don't do anything +[ -z "$PS1" ] && return + +# don't put duplicate lines in the history. See bash(1) for more options +# ... or force ignoredups and ignorespace +HISTCONTROL=ignoredups:ignorespace + +# append to the history file, don't overwrite it +shopt -s histappend + +# for setting history length see HISTSIZE and HISTFILESIZE in bash(1) +HISTSIZE=1000 +HISTFILESIZE=2000 + +# check the window size after each command and, if necessary, +# update the values of LINES and COLUMNS. +shopt -s checkwinsize + +# make less more friendly for non-text input files, see lesspipe(1) +[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" + +# set variable identifying the chroot you work in (used in the prompt below) +if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) +fi + +# set a fancy prompt (non-color, unless we know we "want" color) +case "$TERM" in + xterm-color) color_prompt=yes;; +esac + +# uncomment for a colored prompt, if the terminal has the capability; turned +# off by default to not distract the user: the focus in a terminal window +# should be on the output of commands, not on the prompt +#force_color_prompt=yes + +if [ -n "$force_color_prompt" ]; then + if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then + # We have color support; assume it's compliant with Ecma-48 + # (ISO/IEC-6429). (Lack of such support is extremely rare, and such + # a case would tend to support setf rather than setaf.) + color_prompt=yes + else + color_prompt= + fi +fi +if [ "$color_prompt" = yes ]; then + PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@$(hostname -f)\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' +else + PS1='${debian_chroot:+($debian_chroot)}\u@$(hostname -f):\w\$ ' +fi +unset color_prompt force_color_prompt + +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@$(hostname -f): \w\a\]$PS1" + ;; +*) + ;; +esac + +# enable color support of ls and also add handy aliases +if [ -x /usr/bin/dircolors ]; then + test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" + alias ls='ls --color=auto' + #alias dir='dir --color=auto' + #alias vdir='vdir --color=auto' + + alias grep='grep --color=auto' + alias fgrep='fgrep --color=auto' + alias egrep='egrep --color=auto' +fi + +# some more ls aliases +alias ll='ls -alF' +alias la='ls -A' +alias l='ls -CF' + +# Alias definitions. +# You may want to put all your additions into a separate file like +# ~/.bash_aliases, instead of adding them here directly. +# See /usr/share/doc/bash-doc/examples in the bash-doc package. + +if [ -f ~/.bash_aliases ]; then + . ~/.bash_aliases +fi + +# enable programmable completion features (you don't need to enable +# this, if it's already enabled in /etc/bash.bashrc and /etc/profile +# sources /etc/bash.bashrc). +#if [ -f /etc/bash_completion ] && ! shopt -oq posix; then +# . /etc/bash_completion +#fi From bc329be450d5f6c2bcd751fbc9921139b77b0f9a Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Thu, 15 Jun 2023 12:00:47 +0200 Subject: [PATCH 4/4] Add back safer_reboot --- manifests/scriptreceiver.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/scriptreceiver.pp b/manifests/scriptreceiver.pp index c50c566..45c41f3 100644 --- a/manifests/scriptreceiver.pp +++ b/manifests/scriptreceiver.pp @@ -48,6 +48,13 @@ class sunetdrive::scriptreceiver() owner => 'root', group => 'root', } + file { '/usr/local/bin/safer_reboot': + ensure => file, + content => template('sunetdrive/scriptreceiver/safer_reboot.erb'), + mode => '0744', + owner => 'root', + group => 'root', + } file { '/root/.bashrc': ensure => file, content => template('sunetdrive/scriptreceiver/baschrc.erb'),