port of eduid cloudimage and kvm stuff to eid-ops

global/overlay/etc/puppet/modules/eid/cloudimage.pp

@@ -0,0 +1,68 @@
+# Wrapper with eduID common settings for sunet::cloudimage
+define eid::cloudimage(
+  String           $mac,
+  String           $cpus        = '1',
+  String           $memory      = '1024',
+  String           $description = undef,
+  Boolean          $dhcp        = true,
+  Optional[String] $ip          = undef,
+  Optional[String] $netmask     = undef,
+  Optional[String] $gateway     = undef,
+  Optional[String] $ip6         = undef,
+  Optional[String] $netmask6    = '64',
+  Optional[String] $gateway6    = undef,
+  Optional[Array]  $resolver    = undef,
+  Array[String]    $search      = ['komreg.net'],
+  String           $bridge      = 'br0',
+  String           $size        = '40G',
+  String           $local_size  = '0',
+  String           $image_url   = 'https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img',
+) {
+  # This is a hack, use SSH keys from KVM host?
+  $ft_ssh_key = hiera('ssh_authorized_keys')['root_ft+4030CCAD']
+  $cloudimage_ssh_keys = [sprintf('%s %s %s', $ft_ssh_key['type'], $ft_ssh_key['key'], $ft_ssh_key['name'])]
+
+  $_v6_resolver = $ip6 ? {
+    undef   => undef,
+    default => ['2001:6b0:1e::14',
+                '2001:6b0:1e::99',
+                ],
+  }
+
+  $_resolver1 = pick($resolver, $_v6_resolver, 'NOT_SET')
+  $_resolver = $_resolver1 ? {
+    'NOT_SET' => undef,
+    default   => $_resolver1,
+  }
+
+  $apt_proxy = safe_hiera('eid_proxy_server', undef)
+
+  sunet::cloudimage { $name:
+    image_url   => $image_url,
+    ssh_keys    => $cloudimage_ssh_keys,
+    apt_dir     => '/etc/cosmos/apt',
+    apt_proxy   => $apt_proxy,
+    disable_ec2 => true,
+    #
+    bridge      => $bridge,
+    dhcp        => $dhcp,
+    mac         => $mac,
+    ip          => $ip,
+    netmask     => $netmask,
+    gateway     => $gateway,
+    ip6         => $ip6,
+    netmask6    => $netmask6,
+    gateway6    => $gateway6,
+    resolver    => $_resolver,
+    search      => $search,
+    #
+    repo        => $::cosmos_repo_origin_url,
+    tagpattern  => $::cosmos_tag_pattern,
+    #
+    cpus        => $cpus,
+    memory      => $memory,
+    description => $description,
+    size        => $size,
+    local_size  => $local_size,
+  }
+}

global/overlay/etc/puppet/modules/eid/manifests/kvmhost.pp

@@ -0,0 +1,40 @@
+class eid::kvmhost(
+  $proxy_server = hiera('eid_proxy_server'),
+  $no_proxy     = hiera('eid_no_proxy'),
+) {
+  file {
+    '/etc/cosmos-manual-reboot':
+      ensure => present,
+      ;
+    '/etc/cosmos/apt/bootstrap-cosmos.sh':
+      ensure  => 'file',
+      mode    => '0755',
+      content => template('eid/kvm/bootstrap-cosmos.sh.erb'),
+      ;
+  }
+
+  package { ['bridge-utils',
+             'vlan',
+             ]: ensure => 'present' }
+
+  exec { 'fix_iptables_forwarding_for_guests':
+    command => 'sed -i "/^COMMIT/i-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before.rules; ufw reload',
+    path    => ['/usr/sbin', '/usr/bin', '/sbin', '/bin', ],
+    unless  => 'grep -q -- "^-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before.rules',
+    onlyif  => 'test -f /etc/ufw/before.rules',
+  }
+
+  exec { 'fix_ip6tables_forwarding_for_guests':
+    command => 'sed -i "/^COMMIT/i-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before6.rules; ufw reload',
+    path    => ['/usr/sbin', '/usr/bin', '/sbin', '/bin', ],
+    unless  => 'grep -q -- "^-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before6.rules',
+    onlyif  => 'test -f /etc/ufw/before6.rules',
+  }
+
+  sunet::snippets::file_line {
+    'load_vlan_module_at_boot':
+      filename => '/etc/modules',
+      line     => '8021q',
+      ;
+  }
+}

global/overlay/etc/puppet/modules/eid/templates/eid/bootstrap-cosmos.sh.erb

@@ -0,0 +1,89 @@
+#!/bin/sh
+#
+# Script to bootstrap new machines. Created on KVM hosts and copied to VMs
+# when they are created. Source is templates/kvm/bootstrap-cosmos.sh.erb.
+#
+
+set -e
+
+cmd_hostname="$1"
+if test -z "$cmd_hostname"; then
+    echo "Usage: $0 HOSTNAME REPO TAGPATTERN"
+    exit 1
+fi
+
+cmd_repo="$2"
+if test -z "$cmd_repo"; then
+   echo "Usage $0 HOSTNAME REPO TAGPATTERN"
+   exit 2
+fi
+
+cmd_tags="$3"
+if test -z "$cmd_tags"; then
+   echo "Usage $0 HOSTNAME REPO TAGPATTERN"
+   exit 3
+fi
+
+set -x
+
+
+# cloud-init runs with LANG='US-ASCII' which is likely to fail because of non-US-ASCII chars in the manifest
+export LANG='en_US.UTF-8'
+
+<% if @proxy_server != "" -%>
+# Set up HTTP proxy for eduID (dev)
+cat >> /etc/environment <<EOF
+HTTP_PROXY='<%= @proxy_server %>'
+http_proxy='<%= @proxy_server %>'
+HTTPS_PROXY='<%= @proxy_server %>'
+https_proxy='<%= @proxy_server %>'
+no_proxy='<%= @no_proxy %>'
+EOF
+. /etc/environment
+export HTTP_PROXY http_proxy HTTPS_PROXY https_proxy no_proxy
+<% else -%>
+# No proxy server configured in this environment
+<% end %>
+
+export DEBIAN_FRONTEND='noninteractive'
+
+apt-get update
+apt-get -y install rsync git-core
+dpkg -i cosmos_1.5-1_all.deb
+
+if ! test -d /var/cache/cosmos/repo; then
+    cosmos clone "$cmd_repo"
+fi
+
+# re-run cosmos at reboot until it succeeds - use bash -l to get working proxy settings
+grep -v "^exit 0" /etc/rc.local > /etc/rc.local.new
+(echo ""
+ echo "test -f /etc/run-cosmos-at-boot && (bash -l cosmos -v update; bash -l cosmos -v apply && rm /etc/run-cosmos-at-boot)"
+ echo ""
+ echo "exit 0"
+) >> /etc/rc.local.new
+mv -f /etc/rc.local.new /etc/rc.local
+
+touch /etc/run-cosmos-at-boot
+
+hostname $cmd_hostname
+
+# Set up cosmos models. They are in the order of most significant first, so we want
+# <host> <group (if it exists)> <global>
+_host_type=`echo $cmd_hostname | cut -d - -f 1`
+models=$(
+    echo -n '\\$COSMOS_REPO/'"$cmd_hostname/:"
+    test -d /var/cache/cosmos/repo/${_host_type}-common && echo -n '\\$COSMOS_REPO/'"${_host_type}-common/:"
+    echo -n '\\$COSMOS_REPO/global/'
+)
+echo "Configuring cosmos with the following models:"
+echo "${models}"
+
+perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"${models}\"," /etc/cosmos/cosmos.conf
+perl -pi -e "s,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=\"${cmd_tags}*\"," /etc/cosmos/cosmos.conf
+
+env COSMOS_BASE=/var/cache/cosmos COSMOS_KEYS=/var/cache/cosmos/repo/global/overlay/etc/cosmos/keys /var/cache/cosmos/repo/global/post-tasks.d/015cosmos-trust
+
+(date; nohup cosmos -v update && nohup cosmos -v apply && rm /etc/run-cosmos-at-boot; date) 2>&1 | tee /var/log/cosmos.log
+
+exit 0

manifests

@@ -0,0 +1 @@
+global/overlay/etc/puppet/modules/eid/manifests

templates

@@ -0,0 +1 @@
+global/overlay/etc/puppet/modules/eid/templates