commit 7515782eb503152dfc3e84fee1260fb10d560df9 Author: Leif Johansson Date: Mon Sep 2 16:01:50 2013 +0200 import diff --git a/README b/README new file mode 100644 index 0000000..d7ab52d --- /dev/null +++ b/README @@ -0,0 +1,24 @@ + +Initial setup: + + git clone git://github.com/leifj/multiverse.git myproj-cosmos + cd myproj-cosmos + + - rename the github upstream + + git remote rename origin github + + - add a new upstream & ro branch + + git remote add origin git@//yourhost/myproj-cosmos.git + git remote add ro git://yourhost/myproj-cosmos.git + + - add stuff... + + make bump + +To add a new host: + + - Make sure you have root access using an SSH key + - ./addhost + diff --git a/addhost b/addhost new file mode 100755 index 0000000..7099020 --- /dev/null +++ b/addhost @@ -0,0 +1,45 @@ +#!/bin/sh + +cmd_hostname="" +cmd_do_bootstrap="no" + +set -- $(getopt b?h? "$@") + +while [ $# -gt 0 ]; do + case "$1" in + (-h) echo "Usage: $0 [-h] [-b] [--] []"; exit 0;; + (-b) cmd_do_bootstrap="yes" ;; + (--) shift; break;; + (-*) echo "Unknown option $1\nUsage: $0 [-b] [-h] [--] "; exit 1;; + (*) break;; + esac + shift +done + +if [ ! -z "$1" -a -z "$cmd_hostname" ]; then + cmd_hostname="$1" +fi + +if test -z "$cmd_hostname"; then + echo "Usage: $0 [-h] [-b] [--] " + exit 1 +fi + +test -f cosmos.conf && . ./cosmos.conf + +defrepo=`git remote -v | grep ${remote:="ro"} | grep fetch | awk '{print $2}'` +rrepo=${repo:="$defrepo"} + +if [ ! -d $cmd_hostname ]; then + cp -pr default $cmd_hostname + git add $cmd_hostname + git commit -m "$cmd_hostname added" $cmd_hostname + ./bump-tag +fi + +if [ "$cmd_do_bootstrap" = "yes" ]; then + scp apt/cosmos_1.2-2_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname: + ssh root@$cmd_hostname ./bootstrap-cosmos.sh $cmd_hostname $rrepo + ssh root@$cmd_hostname cosmos update + ssh root@$cmd_hostname cosmos apply +fi diff --git a/apt/bootstrap-cosmos.sh b/apt/bootstrap-cosmos.sh new file mode 100755 index 0000000..1e8b751 --- /dev/null +++ b/apt/bootstrap-cosmos.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +cmd_hostname="$1" +if test -z "$cmd_hostname"; then + echo "Usage: $0 HOSTNAME REPO" + exit 1 +fi + +cmd_repo="$2" +if test -z "$cmd_repo"; then + echo "Usage $0 HOSTNAME REPO" + exit 2 +fi + +set -x + +apt-get -y install rsync git-core +dpkg -i cosmos_1.2-2_all.deb + +if ! test -d /var/cache/cosmos/repo; then + cosmos clone "$cmd_repo" +fi + +hostname $cmd_hostname + +perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"\\\$COSMOS_REPO/global/:\\\$COSMOS_REPO/$cmd_hostname/\"," /etc/cosmos/cosmos.conf +perl -pi -e 's,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN="eduid-cosmos*",' /etc/cosmos/cosmos.conf + +COSMOS_BASE=/var/cache/cosmos /var/cache/cosmos/repo/global/pre-tasks.d/010cosmos-trust + +(date; nohup cosmos -v update && nohup cosmos -v apply; date) > /var/log/cosmos.log 2>&1 + +exit 0 diff --git a/apt/cosmos_1.2-2_all.deb b/apt/cosmos_1.2-2_all.deb new file mode 100644 index 0000000..9fe4434 Binary files /dev/null and b/apt/cosmos_1.2-2_all.deb differ diff --git a/cosmos-rules.yaml b/cosmos-rules.yaml new file mode 120000 index 0000000..106567c --- /dev/null +++ b/cosmos-rules.yaml @@ -0,0 +1 @@ +global/overlay/etc/puppet/cosmos-rules.yaml \ No newline at end of file diff --git a/cosmos.conf b/cosmos.conf new file mode 100644 index 0000000..32f286a --- /dev/null +++ b/cosmos.conf @@ -0,0 +1,2 @@ +tag="eduid-cosmos" +#repo=git://override-repo-URL diff --git a/default/README b/default/README new file mode 120000 index 0000000..59a23c4 --- /dev/null +++ b/default/README @@ -0,0 +1 @@ +../README \ No newline at end of file diff --git a/fabfile/__init__.py b/fabfile/__init__.py new file mode 100644 index 0000000..5574f3a --- /dev/null +++ b/fabfile/__init__.py @@ -0,0 +1,53 @@ +from fabric.api import run,env +from fabric.operations import get +import os +import yaml +import re + +def _all_hosts(): + return filter(lambda fn: '.' in fn and not fn.startswith('.') and os.path.isdir(fn),os.listdir(".")) + +def _roledefs(): + rules = dict() + + rules_file = "cosmos-rules.yaml"; + if os.path.exists(rules_file): + with open(rules_file) as fd: + rules.update(yaml.load(fd)) + + roles = dict() + for node_name in _all_hosts(): + for reg,cls in rules.iteritems(): + if re.search(reg,node_name): + for cls_name in cls.keys(): + h = roles.get(cls_name,[]) + h.append(node_name) + roles[cls_name] = h + return roles + +env.user = 'root' +env.timeout = 30 +env.connection_attempts = 3 +env.warn_only = True +env.skip_bad_hosts = True +env.roledefs = _roledefs() + +print repr(env.roledefs) + +def all(): + env.hosts = _all_hosts() + +def cosmos(): + run("cosmos update && cosmos apply"); + +def upgrade(): + run("apt-get -qq update && apt-get -y -q dist-upgrade"); + +def facts(): + get("/var/run/facts.yaml",local_path="facts/%(host)s.yaml") + +def chassis(): + run("ipmi-chassis --get-chassis-status") + +def newvm(fqdn,ip,domain): + run("vmbuilder kvm ubuntu --domain %s --dest /var/lib/libvirt/images/%s.img --arch x86_64 --hostname %s --mem 512 --ip %s --addpkg openssh-server" % (domain,fqdn,fqdn,ip)) diff --git a/fabfile/__init__.pyc b/fabfile/__init__.pyc new file mode 100644 index 0000000..d66ff5d Binary files /dev/null and b/fabfile/__init__.pyc differ diff --git a/global/overlay/etc/cosmos/keys/.placeholder b/global/overlay/etc/cosmos/keys/.placeholder new file mode 100644 index 0000000..e69de29 diff --git a/global/overlay/etc/cron.d/cosmos b/global/overlay/etc/cron.d/cosmos new file mode 100644 index 0000000..b157bde --- /dev/null +++ b/global/overlay/etc/cron.d/cosmos @@ -0,0 +1,4 @@ +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +*/15 * * * * root test -f /etc/no-automatic-cosmos || (cosmos update && cosmos apply) diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf new file mode 100644 index 0000000..d8ad043 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -0,0 +1,11 @@ +# +# name source (puppetlabs fq name or git url) upgrade (yes/no) +# +concat puppetlabs/concat no +stdlib puppetlabs/stdlib no +ufw attachmentgenie/ufw no +apt puppetlabs/apt no +vcsrepo puppetlabs/vcsrepo no +xinetd puppetlabs/xinetd no +#golang elithrar/golang yes +#python git://github.com/stankevich/puppet-python.git yes diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml new file mode 100644 index 0000000..d9dc495 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -0,0 +1,2 @@ +'ns[0-9]?.mnt.se$': + nameserver: diff --git a/global/overlay/etc/puppet/cosmos_enc.py b/global/overlay/etc/puppet/cosmos_enc.py new file mode 100755 index 0000000..63c3a66 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos_enc.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python + +import sys +import yaml +import os +import re + +rules_path = os.environ.get("COSMOS_RULES_PATH","/etc/puppet") + +node_name = sys.argv[1] + +rules = dict() +for p in rules_path.split(":"): + rules_file = os.path.join(p,"cosmos-rules.yaml") + if os.path.exists(rules_file): + with open(rules_file) as fd: + rules.update(yaml.load(fd)) + +classes = dict() +for reg,cls in rules.iteritems(): + if re.search(reg,node_name): + classes.update(cls) + +print yaml.dump(dict(classes=classes)) diff --git a/global/overlay/etc/puppet/hiera.yaml b/global/overlay/etc/puppet/hiera.yaml new file mode 100644 index 0000000..e69de29 diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp new file mode 100644 index 0000000..c276f84 --- /dev/null +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -0,0 +1,52 @@ +# This manifest is managed using cosmos + +Exec { + path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +} + +# include some of this stuff for additional features + +#include cosmos::tools +#include cosmos::motd +#include cosmos::ntp +#include cosmos::rngtools +#include cosmos::preseed +include ufw +include apt +include cosmos + +# you need a default node + +node default { + +} + +# edit and uncomment to manage ssh root keys in a simple way + +#class { 'cosmos::access': +# keys => [ +# "ssh-rsa ..." +# ] +#} + +# example config for the nameserver class which is matched in cosmos-rules.yaml + +#class nameserver { +# package {'bind9': +# ensure => latest +# } +# service {'bind9': +# ensure => running +# } +# ufw::allow { "allow-dns-udp": +# ip => 'any', +# port => 53, +# proto => "udp" +# } +# ufw::allow { "allow-dns-tcp": +# ip => 'any', +# port => 53, +# proto => "tcp" +# } +#} + diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf new file mode 100644 index 0000000..0ba85f4 --- /dev/null +++ b/global/overlay/etc/puppet/puppet.conf @@ -0,0 +1,14 @@ +[main] +logdir=/var/log/puppet +vardir=/var/lib/puppet +ssldir=/var/lib/puppet/ssl +rundir=/var/run/puppet +factpath=$vardir/lib/facter +templatedir=$confdir/templates +node_terminus = exec +external_nodes = /etc/puppet/cosmos_enc.py + +[master] +# These are needed when the puppetmaster is run by passenger +# and can safely be removed if webrick is used. +ssl_client_header = SSL_CLIENT_S_DN diff --git a/global/post-tasks.d/010fix-ssh-perms b/global/post-tasks.d/010fix-ssh-perms new file mode 100755 index 0000000..87636d7 --- /dev/null +++ b/global/post-tasks.d/010fix-ssh-perms @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Re-used example from SJD +# + +if test -d /root/.ssh && \ + test `stat -t /root/.ssh | cut -d\ -f5` != 0; then + chown root.root /root/.ssh +fi + +if test -d /root/.ssh && \ + test `stat -c %a /root/.ssh` != 700; then + chmod 700 /root/.ssh +fi + +if test -f /root/.ssh/authorized_keys; then + if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then + chown root.root /root/.ssh/authorized_keys + fi + if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then + chmod 600 /root/.ssh/authorized_keys + fi +fi diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust new file mode 100755 index 0000000..ad2c066 --- /dev/null +++ b/global/post-tasks.d/015cosmos-trust @@ -0,0 +1,16 @@ +#!/bin/sh + +for k in /etc/cosmos/keys/*.pub; do + fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'` + cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k +done + +for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do + seen="no" + for k in /etc/cosmos/keys/*.pub; do + cosmos gpg --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes" + done + if [ "x$seen" = "xno" ]; then + cosmos gpg --yes --batch --delete-key $fp || true + fi +done diff --git a/global/post-tasks.d/020reports b/global/post-tasks.d/020reports new file mode 100755 index 0000000..091a236 --- /dev/null +++ b/global/post-tasks.d/020reports @@ -0,0 +1,4 @@ +#!/bin/sh + +rm -f /var/run/facts.json +facter -p -y > /var/run/facts.yaml diff --git a/global/post-tasks.d/030puppet b/global/post-tasks.d/030puppet new file mode 100755 index 0000000..6b1d33a --- /dev/null +++ b/global/post-tasks.d/030puppet @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="--verbose" +else + args="--logdest=syslog" +fi + +if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then + for m in `find /etc/puppet/manifests -name \*.pp`; do + puppet apply $args $m + done +fi diff --git a/global/post-tasks.d/099autoremove b/global/post-tasks.d/099autoremove new file mode 100755 index 0000000..2cc6996 --- /dev/null +++ b/global/post-tasks.d/099autoremove @@ -0,0 +1,4 @@ +#!/bin/sh + +apt-get -qq update +apt-get -qq -y autoremove diff --git a/global/post-tasks.d/999reboot b/global/post-tasks.d/999reboot new file mode 100755 index 0000000..5331446 --- /dev/null +++ b/global/post-tasks.d/999reboot @@ -0,0 +1,3 @@ +#!/bin/sh + +test -f /var/run/reboot-required -a ! -f /etc/cosmos-manual-reboot && reboot diff --git a/global/pre-tasks.d/020common-tools b/global/pre-tasks.d/020common-tools new file mode 100755 index 0000000..eaca6ea --- /dev/null +++ b/global/pre-tasks.d/020common-tools @@ -0,0 +1,16 @@ +#!/bin/sh +# +# Re-used example from SJD +# + +set -e + +stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp" + +if ! test -f $stamp; then + apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp + update-alternatives --set editor /usr/bin/vim.basic + + mkdir -p `dirname $stamp` + touch $stamp +fi diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet new file mode 100755 index 0000000..2dc0b80 --- /dev/null +++ b/global/pre-tasks.d/030puppet @@ -0,0 +1,35 @@ +#!/bin/sh +# +# Re-used example from SJD +# + +set -e + +stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp" + +if ! test -f $stamp -a -f /usr/bin/puppet; then + codename=`lsb_release -c| awk '{print $2}'` + wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb + dpkg -i puppetlabs-release-${codename}.deb + rm -f puppetlabs-release-${codename}.deb* + apt-get update + apt-get -y install puppet-common + + mkdir -p `dirname $stamp` + touch $stamp +fi + +python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml + +if [ -f /etc/puppet/cosmos-modules.conf ]; then + grep -E -v "^#" /etc/puppet/cosmos-modules.conf | ( + cd /etc/puppet/modules && while read module src update; do + if [ ! -d /etc/puppet/modules/$module ]; then + echo $src | grep -q "://" && git clone $src $module || puppet module install $src + else + if [ "x$update" = "xyes" ]; then + echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src + fi + fi + done) +fi