Compare commits

...

10 commits

Author SHA1 Message Date
Johan Wassberg 646c40daf1
Merge pull request #52 from SUNET/jocar-allow-empty-hosts
Allow empty hosts
2024-04-15 11:43:21 +02:00
Johan Wassberg c72f5ccd86
Allow for hosts without class(s) 2024-04-12 15:32:40 +02:00
Micke Nordin b39960484f
Merge pull request #51 from SUNET/patlu-run-cosmos-fleetlock
run-cosmos: support fleetlock unlocking at reboot
2024-01-25 13:23:27 +01:00
Patrik Lundin df5558befb
Fix another indentation mismatch 2024-01-24 15:36:52 +01:00
Patrik Lundin 4b93d9c426
run-cosmos: support fleetlock unlocking at boot
This extends run-cosmos with a new argument that calls the unlock
function already included in the script as well as using the already
existing lock() function to make sure there is no race between the
bootup process and cron starting a normal run-cosmos process at the same
time.

The oexit() function is added to support exiting with a OK exit value
the same way eexit() is used to signal something is wrong.

This change also adds the systemd unit file that runs run-cosmos with the
new fleetlock-unlock argument at boot if fleetlock is configured.

While here fix indentation that was mixed between 3 and 4 spaces: it is
now 4 spaces everywhere.
2024-01-24 15:36:34 +01:00
Micke Nordin cacb97a22c
Allow running of bumptag with out signed commits or tags
By setting ALLOW_UNSIGNED_COMMITS_WITHOUT_TAGS you can bootstrap bumptag
on first startup of new repo
2023-12-04 14:24:34 +01:00
Johan Wassberg ecedda68e3
Merge pull request #50 from SUNET/kano-sshproxyjump
PREPARE/ADDHOST: allow the ues of proxyjump with ip address
2023-11-29 12:53:05 +01:00
Micke Nordin 71e112e009
PREPARE/ADDHOST: allow the ues of proxyjump with ip address
With this patch you can specify a ProxyJump for prepare-iaas-ubuntu,
prepare-iaas-debian and addhost. Example:

./prepare-iaas-debian 89.47.191.7 hj
./addhost -b -n node1.extern.drive.test.sunet.se -p hj -- 89.47.191.7

where hj is a host defined in my .ssh/config suitable for a proxyjump
to the host in question.

This makes it easier to use ip addresses for these scripts which might
be neccessary if dns takes a while to propagate.
2023-11-29 12:10:34 +01:00
Micke Nordin 1bd6524ad3
Merge pull request #48 from SUNET/john-bump-tag-from-nunoc-ops
Merge of improved bump-tag from nunoc-ops
2023-11-16 13:55:49 +01:00
John Van de Meulebrouck Brendgard 21c0cad8a0
Consistently use [[ for if statements. 2023-11-16 12:12:36 +01:00
7 changed files with 138 additions and 60 deletions

15
addhost
View file

@ -13,11 +13,12 @@ function usage() {
echo " <host> can be an IP number, or something that resolves to one" echo " <host> can be an IP number, or something that resolves to one"
} }
while getopts "bhn:" this; do while getopts "bhnp:" this; do
case "${this}" in case "${this}" in
h) usage; exit 0;; h) usage; exit 0;;
b) cmd_do_bootstrap="yes" ;; b) cmd_do_bootstrap="yes" ;;
n) cmd_fqdn="${OPTARG}" ; shift ;; n) cmd_fqdn="${OPTARG}" ; shift ;;
p) cmd_proxy="${OPTARG}" ; shift ;;
*) echo "Unknown option ${this}"; echo ""; usage; exit 1;; *) echo "Unknown option ${this}"; echo ""; usage; exit 1;;
esac esac
done done
@ -36,6 +37,10 @@ if test -z "$cmd_hostname"; then
exit 1 exit 1
fi fi
if [[ -n $cmd_proxy ]]; then
proxyjump="-o ProxyJump=${cmd_proxy}"
fi
test -f cosmos.conf && . ./cosmos.conf test -f cosmos.conf && . ./cosmos.conf
_remote=${remote:='ro'} _remote=${remote:='ro'}
@ -57,8 +62,8 @@ fi
if [ "$cmd_do_bootstrap" = "yes" ]; then if [ "$cmd_do_bootstrap" = "yes" ]; then
cosmos_deb=$(find apt/ -maxdepth 1 -name 'cosmos_*.deb' | sort -V | tail -1) cosmos_deb=$(find apt/ -maxdepth 1 -name 'cosmos_*.deb' | sort -V | tail -1)
scp "$cosmos_deb" apt/bootstrap-cosmos.sh root@"$cmd_hostname": scp $proxyjump "$cosmos_deb" apt/bootstrap-cosmos.sh root@"$cmd_hostname":
ssh root@"$cmd_hostname" ./bootstrap-cosmos.sh "$cmd_fqdn" "$rrepo" "$rtag" ssh root@"$cmd_hostname" $proxyjump ./bootstrap-cosmos.sh "$cmd_fqdn" "$rrepo" "$rtag"
ssh root@"$cmd_hostname" cosmos update ssh root@"$cmd_hostname" $proxyjump cosmos update
ssh root@"$cmd_hostname" cosmos apply ssh root@"$cmd_hostname" $proxyjump cosmos apply
fi fi

View file

@ -173,12 +173,15 @@ tag_list="$(git tag -l "${tagpfx}-*")"
# shellcheck disable=SC2181 # shellcheck disable=SC2181
if [[ ${?} -ne 0 ]] || [[ -z "${tag_list}" ]]; then if [[ ${?} -ne 0 ]] || [[ -z "${tag_list}" ]]; then
if [[ -z ${ALLOW_UNSIGNED_COMMITS_WITHOUT_TAGS} ]]; then
echo "No tags found, verifying all commits instead." echo "No tags found, verifying all commits instead."
echo "Please set environment variable ALLOW_UNSIGNED_COMMITS_WITHOUT_TAGS if you want to disable this check."
# %H = commit hash # %H = commit hash
# %G? = show "G" for a good (valid) signature # %G? = show "G" for a good (valid) signature
git_log="$(git log --pretty="format:%H${t}%G?" \ git_log="$(git log --pretty="format:%H${t}%G?" \
--first-parent \ --first-parent \
| grep -v "${t}G$")" | grep -v "${t}G$")"
fi
else else
@ -255,7 +258,7 @@ while [[ -z "${ok}" ]]; do
esac esac
done done
if [ "${deftag}" != "${tagpfx}" ]; then if [[ "${deftag}" != "${tagpfx}" ]]; then
echo -e "Using new tag \e[94m${this_tag}\e[0m according to pattern in cosmos.conf" echo -e "Using new tag \e[94m${this_tag}\e[0m according to pattern in cosmos.conf"
else else
echo -e "Using new tag \e[94m${this_tag}\e[0m" echo -e "Using new tag \e[94m${this_tag}\e[0m"

View file

@ -26,6 +26,7 @@ found = False
classes = dict() classes = dict()
for reg, cls in rules.items(): for reg, cls in rules.items():
if re.search(reg, node_name): if re.search(reg, node_name):
if cls:
classes.update(cls) classes.update(cls)
found = True found = True

View file

@ -0,0 +1,11 @@
[Unit]
Description=run-cosmos fleetlock unlocker
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/run-cosmos fleetlock-unlock
[Install]
WantedBy=multi-user.target

View file

@ -9,6 +9,7 @@ readonly LOCK_FD=200
readonly FLEETLOCK_CONFIG=/etc/run-cosmos-fleetlock-conf readonly FLEETLOCK_CONFIG=/etc/run-cosmos-fleetlock-conf
readonly FLEETLOCK_DISABLE_FILE=/etc/run-cosmos-fleetlock-disable readonly FLEETLOCK_DISABLE_FILE=/etc/run-cosmos-fleetlock-disable
readonly FLEETLOCK_TOOL=/usr/local/bin/sunet-fleetlock readonly FLEETLOCK_TOOL=/usr/local/bin/sunet-fleetlock
readonly FLEETLOCK_UNLOCK_SERVICE=run-cosmos-fleetlock-unlocker.service
readonly HEALTHCHECK_TOOL=/usr/local/bin/sunet-machine-healthy readonly HEALTHCHECK_TOOL=/usr/local/bin/sunet-machine-healthy
readonly HEALTHCHECK_DISABLE_FILE=/etc/run-cosmos-healthcheck-disable readonly HEALTHCHECK_DISABLE_FILE=/etc/run-cosmos-healthcheck-disable
@ -33,8 +34,38 @@ eexit() {
exit 1 exit 1
} }
oexit() {
local info_str="$*"
echo "$info_str"
exit 0
}
fleetlock_enable_unlock_service() {
# In case e.g. the unit file has been removed "FragmentPath" will still
# return the old filename until daemon-reload is called, so do that here
# before we try checking for the FragmentPath.
need_reload=$(systemctl show --property NeedDaemonReload $FLEETLOCK_UNLOCK_SERVICE | awk -F= '{print $2}')
if [ "$need_reload" = "yes" ]; then
systemctl daemon-reload
fi
unit_file=$(systemctl show --property FragmentPath $FLEETLOCK_UNLOCK_SERVICE | awk -F= '{print $2}')
if [ -z "$unit_file" ]; then
# No unit file matching the service name, do nothing
return 0
fi
# Enable the service if needed
systemctl is-enabled --quiet $FLEETLOCK_UNLOCK_SERVICE || systemctl enable --quiet $FLEETLOCK_UNLOCK_SERVICE
}
fleetlock_lock() { fleetlock_lock() {
if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
# Make sure the unlock service is enabled before we take a lock if
# cosmos ends up rebooting the machine before fleetlock_unlock() is
# called.
fleetlock_enable_unlock_service || return 1
local fleetlock_group="" local fleetlock_group=""
# shellcheck source=/dev/null # shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1 . $FLEETLOCK_CONFIG || return 1
@ -66,8 +97,16 @@ fleetlock_unlock() {
machine_is_healthy() { machine_is_healthy() {
if [ ! -f $HEALTHCHECK_DISABLE_FILE ] && [ -x $HEALTHCHECK_TOOL ]; then if [ ! -f $HEALTHCHECK_DISABLE_FILE ] && [ -x $HEALTHCHECK_TOOL ]; then
local fleetlock_healthcheck_timeout=""
local optional_args=()
# shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1
if [ -n "$fleetlock_healthcheck_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_healthcheck_timeout")
fi
echo "Running any health checks" echo "Running any health checks"
$HEALTHCHECK_TOOL || return 1 $HEALTHCHECK_TOOL "${optional_args[@]}" || return 1
fi fi
return 0 return 0
} }
@ -82,11 +121,22 @@ main () {
touch /var/run/last-cosmos-ok.stamp touch /var/run/last-cosmos-ok.stamp
find /var/lib/puppet/reports/ -type f -mtime +10 -print0 | xargs -0 rm -f find /var/lib/puppet/reports/ -type f -mtime +10 -print0 | xargs -0 rm -f
}
main "$@" if [ -f /cosmos-reboot ]; then
if [ -f /cosmos-reboot ]; then
rm -f /cosmos-reboot rm -f /cosmos-reboot
reboot reboot
fi fi
}
# Most of the time we just pass on any arguments to the underlying cosmos
# tools, if adding special cases here make sure to not shadow any arguments
# (like "-v") which users expect to be passed on to cosmos.
case "$1" in
"fleetlock-unlock")
lock "$PROGNAME" || oexit "$PROGNAME appears locked by a running run-cosmos, let it handle unlocking instead."
fleetlock_unlock || eexit "Unable to release fleetlock lock."
;;
*)
main "$@"
;;
esac

View file

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
ip="${1}" ip="${1}"
ssh_proxy="${2}"
if [[ -z "${ip}" ]]; then if [[ -z "${ip}" ]]; then
echo "Please specify a cloud image host that the script should do the following on:" echo "Please specify a cloud image host that the script should do the following on:"
@ -9,6 +10,9 @@ if [[ -z "${ip}" ]]; then
echo " #4 reboot to start using the new kernel, updated packages etc." echo " #4 reboot to start using the new kernel, updated packages etc."
exit 1 exit 1
fi fi
if [[ -n "${ssh_proxy}" ]]; then
proxyjump="-o ProxyJump=${ssh_proxy}"
fi
set -x set -x
@ -21,5 +25,5 @@ script_dir=$(dirname "$0")
# === # ===
# userdel: user debian is currently used by process 1082 # userdel: user debian is currently used by process 1082
# === # ===
ssh "debian@${ip}" "bash -s" < "$script_dir"/iaas-enable-root.sh ssh "debian@${ip}" ${proxyjump} "bash -s" < "$script_dir"/iaas-enable-root.sh
ssh "root@${ip}" "bash -s" < "$script_dir"/iaas-setup.sh ssh "root@${ip}" ${proxyjump} "bash -s" < "$script_dir"/iaas-setup.sh

View file

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
ip="${1}" ip="${1}"
ssh_proxy="${2}"
if [[ -z "${ip}" ]]; then if [[ -z "${ip}" ]]; then
echo "Please specify a cloud image host that the script should do the following on:" echo "Please specify a cloud image host that the script should do the following on:"
@ -10,6 +11,9 @@ if [[ -z "${ip}" ]]; then
exit 1 exit 1
fi fi
if [[ -n "${ssh_proxy}" ]]; then
proxyjump="-o ProxyJump=${ssh_proxy}"
fi
set -x set -x
# Make sure we read the additional scripts from the same directory as # Make sure we read the additional scripts from the same directory as
@ -21,5 +25,5 @@ script_dir=$(dirname "$0")
# === # ===
# userdel: user ubuntu is currently used by process 44063 # userdel: user ubuntu is currently used by process 44063
# === # ===
ssh "ubuntu@${ip}" "bash -s" < "$script_dir"/iaas-enable-root.sh ssh "ubuntu@${ip}" ${proxyjump} "bash -s" < "$script_dir"/iaas-enable-root.sh
ssh "root@${ip}" "bash -s" < "$script_dir"/iaas-setup.sh ssh "root@${ip}" ${proxyjump} "bash -s" < "$script_dir"/iaas-setup.sh