From 45442e8c90a2a2331830b8a4fc24e66b29f6a7f6 Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Tue, 10 Apr 2018 12:43:37 +0200 Subject: [PATCH] port of eduid cloudimage and kvm stuff to eid-ops --- .../etc/puppet/modules/eid/cloudimage.pp | 68 ++++++++++++++ .../puppet/modules/eid/manifests/kvmhost.pp | 40 +++++++++ .../eid/templates/eid/bootstrap-cosmos.sh.erb | 89 +++++++++++++++++++ manifests | 1 + templates | 1 + 5 files changed, 199 insertions(+) create mode 100644 global/overlay/etc/puppet/modules/eid/cloudimage.pp create mode 100644 global/overlay/etc/puppet/modules/eid/manifests/kvmhost.pp create mode 100755 global/overlay/etc/puppet/modules/eid/templates/eid/bootstrap-cosmos.sh.erb create mode 120000 manifests create mode 120000 templates diff --git a/global/overlay/etc/puppet/modules/eid/cloudimage.pp b/global/overlay/etc/puppet/modules/eid/cloudimage.pp new file mode 100644 index 00000000..d217a39d --- /dev/null +++ b/global/overlay/etc/puppet/modules/eid/cloudimage.pp @@ -0,0 +1,68 @@ +# Wrapper with eduID common settings for sunet::cloudimage +define eid::cloudimage( + String $mac, + String $cpus = '1', + String $memory = '1024', + String $description = undef, + Boolean $dhcp = true, + Optional[String] $ip = undef, + Optional[String] $netmask = undef, + Optional[String] $gateway = undef, + Optional[String] $ip6 = undef, + Optional[String] $netmask6 = '64', + Optional[String] $gateway6 = undef, + Optional[Array] $resolver = undef, + Array[String] $search = ['komreg.net'], + String $bridge = 'br0', + String $size = '40G', + String $local_size = '0', + String $image_url = 'https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img', +) { + # This is a hack, use SSH keys from KVM host? + $ft_ssh_key = hiera('ssh_authorized_keys')['root_ft+4030CCAD'] + $cloudimage_ssh_keys = [sprintf('%s %s %s', $ft_ssh_key['type'], $ft_ssh_key['key'], $ft_ssh_key['name'])] + + $_v6_resolver = $ip6 ? { + undef => undef, + default => ['2001:6b0:1e::14', + '2001:6b0:1e::99', + ], + } + + $_resolver1 = pick($resolver, $_v6_resolver, 'NOT_SET') + $_resolver = $_resolver1 ? { + 'NOT_SET' => undef, + default => $_resolver1, + } + + $apt_proxy = safe_hiera('eid_proxy_server', undef) + + sunet::cloudimage { $name: + image_url => $image_url, + ssh_keys => $cloudimage_ssh_keys, + apt_dir => '/etc/cosmos/apt', + apt_proxy => $apt_proxy, + disable_ec2 => true, + # + bridge => $bridge, + dhcp => $dhcp, + mac => $mac, + ip => $ip, + netmask => $netmask, + gateway => $gateway, + ip6 => $ip6, + netmask6 => $netmask6, + gateway6 => $gateway6, + resolver => $_resolver, + search => $search, + # + repo => $::cosmos_repo_origin_url, + tagpattern => $::cosmos_tag_pattern, + # + cpus => $cpus, + memory => $memory, + description => $description, + size => $size, + local_size => $local_size, + } +} diff --git a/global/overlay/etc/puppet/modules/eid/manifests/kvmhost.pp b/global/overlay/etc/puppet/modules/eid/manifests/kvmhost.pp new file mode 100644 index 00000000..c3f72bcd --- /dev/null +++ b/global/overlay/etc/puppet/modules/eid/manifests/kvmhost.pp @@ -0,0 +1,40 @@ +class eid::kvmhost( + $proxy_server = hiera('eid_proxy_server'), + $no_proxy = hiera('eid_no_proxy'), +) { + file { + '/etc/cosmos-manual-reboot': + ensure => present, + ; + '/etc/cosmos/apt/bootstrap-cosmos.sh': + ensure => 'file', + mode => '0755', + content => template('eid/kvm/bootstrap-cosmos.sh.erb'), + ; + } + + package { ['bridge-utils', + 'vlan', + ]: ensure => 'present' } + + exec { 'fix_iptables_forwarding_for_guests': + command => 'sed -i "/^COMMIT/i-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before.rules; ufw reload', + path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin', ], + unless => 'grep -q -- "^-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before.rules', + onlyif => 'test -f /etc/ufw/before.rules', + } + + exec { 'fix_ip6tables_forwarding_for_guests': + command => 'sed -i "/^COMMIT/i-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before6.rules; ufw reload', + path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin', ], + unless => 'grep -q -- "^-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before6.rules', + onlyif => 'test -f /etc/ufw/before6.rules', + } + + sunet::snippets::file_line { + 'load_vlan_module_at_boot': + filename => '/etc/modules', + line => '8021q', + ; + } +} diff --git a/global/overlay/etc/puppet/modules/eid/templates/eid/bootstrap-cosmos.sh.erb b/global/overlay/etc/puppet/modules/eid/templates/eid/bootstrap-cosmos.sh.erb new file mode 100755 index 00000000..30a5a1bc --- /dev/null +++ b/global/overlay/etc/puppet/modules/eid/templates/eid/bootstrap-cosmos.sh.erb @@ -0,0 +1,89 @@ +#!/bin/sh +# +# Script to bootstrap new machines. Created on KVM hosts and copied to VMs +# when they are created. Source is templates/kvm/bootstrap-cosmos.sh.erb. +# + +set -e + +cmd_hostname="$1" +if test -z "$cmd_hostname"; then + echo "Usage: $0 HOSTNAME REPO TAGPATTERN" + exit 1 +fi + +cmd_repo="$2" +if test -z "$cmd_repo"; then + echo "Usage $0 HOSTNAME REPO TAGPATTERN" + exit 2 +fi + +cmd_tags="$3" +if test -z "$cmd_tags"; then + echo "Usage $0 HOSTNAME REPO TAGPATTERN" + exit 3 +fi + +set -x + + +# cloud-init runs with LANG='US-ASCII' which is likely to fail because of non-US-ASCII chars in the manifest +export LANG='en_US.UTF-8' + +<% if @proxy_server != "" -%> +# Set up HTTP proxy for eduID (dev) +cat >> /etc/environment < +# No proxy server configured in this environment +<% end %> + +export DEBIAN_FRONTEND='noninteractive' + +apt-get update +apt-get -y install rsync git-core +dpkg -i cosmos_1.5-1_all.deb + +if ! test -d /var/cache/cosmos/repo; then + cosmos clone "$cmd_repo" +fi + +# re-run cosmos at reboot until it succeeds - use bash -l to get working proxy settings +grep -v "^exit 0" /etc/rc.local > /etc/rc.local.new +(echo "" + echo "test -f /etc/run-cosmos-at-boot && (bash -l cosmos -v update; bash -l cosmos -v apply && rm /etc/run-cosmos-at-boot)" + echo "" + echo "exit 0" +) >> /etc/rc.local.new +mv -f /etc/rc.local.new /etc/rc.local + +touch /etc/run-cosmos-at-boot + +hostname $cmd_hostname + +# Set up cosmos models. They are in the order of most significant first, so we want +# +_host_type=`echo $cmd_hostname | cut -d - -f 1` +models=$( + echo -n '\\$COSMOS_REPO/'"$cmd_hostname/:" + test -d /var/cache/cosmos/repo/${_host_type}-common && echo -n '\\$COSMOS_REPO/'"${_host_type}-common/:" + echo -n '\\$COSMOS_REPO/global/' +) +echo "Configuring cosmos with the following models:" +echo "${models}" + +perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"${models}\"," /etc/cosmos/cosmos.conf +perl -pi -e "s,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=\"${cmd_tags}*\"," /etc/cosmos/cosmos.conf + +env COSMOS_BASE=/var/cache/cosmos COSMOS_KEYS=/var/cache/cosmos/repo/global/overlay/etc/cosmos/keys /var/cache/cosmos/repo/global/post-tasks.d/015cosmos-trust + +(date; nohup cosmos -v update && nohup cosmos -v apply && rm /etc/run-cosmos-at-boot; date) 2>&1 | tee /var/log/cosmos.log + +exit 0 diff --git a/manifests b/manifests new file mode 120000 index 00000000..b321c1bc --- /dev/null +++ b/manifests @@ -0,0 +1 @@ +global/overlay/etc/puppet/modules/eid/manifests \ No newline at end of file diff --git a/templates b/templates new file mode 120000 index 00000000..c4b3479e --- /dev/null +++ b/templates @@ -0,0 +1 @@ +global/overlay/etc/puppet/modules/eid/templates \ No newline at end of file