summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeif Johansson <leifj@sunet.se>2013-09-02 16:01:50 +0200
committerLeif Johansson <leifj@sunet.se>2013-09-02 16:01:50 +0200
commit7515782eb503152dfc3e84fee1260fb10d560df9 (patch)
treece0087dc774a156c6a74f11d3af92ef5686b4972
import
-rw-r--r--README24
-rwxr-xr-xaddhost45
-rwxr-xr-xapt/bootstrap-cosmos.sh35
-rw-r--r--apt/cosmos_1.2-2_all.debbin0 -> 11724 bytes
l---------cosmos-rules.yaml1
-rw-r--r--cosmos.conf2
l---------default/README1
-rw-r--r--fabfile/__init__.py53
-rw-r--r--fabfile/__init__.pycbin0 -> 2999 bytes
-rw-r--r--global/overlay/etc/cosmos/keys/.placeholder0
-rw-r--r--global/overlay/etc/cron.d/cosmos4
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf11
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rwxr-xr-xglobal/overlay/etc/puppet/cosmos_enc.py24
-rw-r--r--global/overlay/etc/puppet/hiera.yaml0
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp52
-rw-r--r--global/overlay/etc/puppet/puppet.conf14
-rwxr-xr-xglobal/post-tasks.d/010fix-ssh-perms23
-rwxr-xr-xglobal/post-tasks.d/015cosmos-trust16
-rwxr-xr-xglobal/post-tasks.d/020reports4
-rwxr-xr-xglobal/post-tasks.d/030puppet13
-rwxr-xr-xglobal/post-tasks.d/099autoremove4
-rwxr-xr-xglobal/post-tasks.d/999reboot3
-rwxr-xr-xglobal/pre-tasks.d/020common-tools16
-rwxr-xr-xglobal/pre-tasks.d/030puppet35
25 files changed, 382 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..d7ab52d
--- /dev/null
+++ b/README
@@ -0,0 +1,24 @@
+
+Initial setup:
+
+ git clone git://github.com/leifj/multiverse.git myproj-cosmos
+ cd myproj-cosmos
+
+ - rename the github upstream
+
+ git remote rename origin github
+
+ - add a new upstream & ro branch
+
+ git remote add origin git@//yourhost/myproj-cosmos.git
+ git remote add ro git://yourhost/myproj-cosmos.git
+
+ - add stuff...
+
+ make bump
+
+To add a new host:
+
+ - Make sure you have root access using an SSH key
+ - ./addhost <fqdn>
+
diff --git a/addhost b/addhost
new file mode 100755
index 0000000..7099020
--- /dev/null
+++ b/addhost
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+cmd_hostname=""
+cmd_do_bootstrap="no"
+
+set -- $(getopt b?h? "$@")
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ (-h) echo "Usage: $0 [-h] [-b] [--] [<host>]"; exit 0;;
+ (-b) cmd_do_bootstrap="yes" ;;
+ (--) shift; break;;
+ (-*) echo "Unknown option $1\nUsage: $0 [-b] [-h] [--] <host>"; exit 1;;
+ (*) break;;
+ esac
+ shift
+done
+
+if [ ! -z "$1" -a -z "$cmd_hostname" ]; then
+ cmd_hostname="$1"
+fi
+
+if test -z "$cmd_hostname"; then
+ echo "Usage: $0 [-h] [-b] [--] <host>"
+ exit 1
+fi
+
+test -f cosmos.conf && . ./cosmos.conf
+
+defrepo=`git remote -v | grep ${remote:="ro"} | grep fetch | awk '{print $2}'`
+rrepo=${repo:="$defrepo"}
+
+if [ ! -d $cmd_hostname ]; then
+ cp -pr default $cmd_hostname
+ git add $cmd_hostname
+ git commit -m "$cmd_hostname added" $cmd_hostname
+ ./bump-tag
+fi
+
+if [ "$cmd_do_bootstrap" = "yes" ]; then
+ scp apt/cosmos_1.2-2_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname:
+ ssh root@$cmd_hostname ./bootstrap-cosmos.sh $cmd_hostname $rrepo
+ ssh root@$cmd_hostname cosmos update
+ ssh root@$cmd_hostname cosmos apply
+fi
diff --git a/apt/bootstrap-cosmos.sh b/apt/bootstrap-cosmos.sh
new file mode 100755
index 0000000..1e8b751
--- /dev/null
+++ b/apt/bootstrap-cosmos.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -e
+
+cmd_hostname="$1"
+if test -z "$cmd_hostname"; then
+ echo "Usage: $0 HOSTNAME REPO"
+ exit 1
+fi
+
+cmd_repo="$2"
+if test -z "$cmd_repo"; then
+ echo "Usage $0 HOSTNAME REPO"
+ exit 2
+fi
+
+set -x
+
+apt-get -y install rsync git-core
+dpkg -i cosmos_1.2-2_all.deb
+
+if ! test -d /var/cache/cosmos/repo; then
+ cosmos clone "$cmd_repo"
+fi
+
+hostname $cmd_hostname
+
+perl -pi -e "s,#COSMOS_REPO_MODELS=.*,COSMOS_REPO_MODELS=\"\\\$COSMOS_REPO/global/:\\\$COSMOS_REPO/$cmd_hostname/\"," /etc/cosmos/cosmos.conf
+perl -pi -e 's,#COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN=.*,COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN="eduid-cosmos*",' /etc/cosmos/cosmos.conf
+
+COSMOS_BASE=/var/cache/cosmos /var/cache/cosmos/repo/global/pre-tasks.d/010cosmos-trust
+
+(date; nohup cosmos -v update && nohup cosmos -v apply; date) > /var/log/cosmos.log 2>&1
+
+exit 0
diff --git a/apt/cosmos_1.2-2_all.deb b/apt/cosmos_1.2-2_all.deb
new file mode 100644
index 0000000..9fe4434
--- /dev/null
+++ b/apt/cosmos_1.2-2_all.deb
Binary files differ
diff --git a/cosmos-rules.yaml b/cosmos-rules.yaml
new file mode 120000
index 0000000..106567c
--- /dev/null
+++ b/cosmos-rules.yaml
@@ -0,0 +1 @@
+global/overlay/etc/puppet/cosmos-rules.yaml \ No newline at end of file
diff --git a/cosmos.conf b/cosmos.conf
new file mode 100644
index 0000000..32f286a
--- /dev/null
+++ b/cosmos.conf
@@ -0,0 +1,2 @@
+tag="eduid-cosmos"
+#repo=git://override-repo-URL
diff --git a/default/README b/default/README
new file mode 120000
index 0000000..59a23c4
--- /dev/null
+++ b/default/README
@@ -0,0 +1 @@
+../README \ No newline at end of file
diff --git a/fabfile/__init__.py b/fabfile/__init__.py
new file mode 100644
index 0000000..5574f3a
--- /dev/null
+++ b/fabfile/__init__.py
@@ -0,0 +1,53 @@
+from fabric.api import run,env
+from fabric.operations import get
+import os
+import yaml
+import re
+
+def _all_hosts():
+ return filter(lambda fn: '.' in fn and not fn.startswith('.') and os.path.isdir(fn),os.listdir("."))
+
+def _roledefs():
+ rules = dict()
+
+ rules_file = "cosmos-rules.yaml";
+ if os.path.exists(rules_file):
+ with open(rules_file) as fd:
+ rules.update(yaml.load(fd))
+
+ roles = dict()
+ for node_name in _all_hosts():
+ for reg,cls in rules.iteritems():
+ if re.search(reg,node_name):
+ for cls_name in cls.keys():
+ h = roles.get(cls_name,[])
+ h.append(node_name)
+ roles[cls_name] = h
+ return roles
+
+env.user = 'root'
+env.timeout = 30
+env.connection_attempts = 3
+env.warn_only = True
+env.skip_bad_hosts = True
+env.roledefs = _roledefs()
+
+print repr(env.roledefs)
+
+def all():
+ env.hosts = _all_hosts()
+
+def cosmos():
+ run("cosmos update && cosmos apply");
+
+def upgrade():
+ run("apt-get -qq update && apt-get -y -q dist-upgrade");
+
+def facts():
+ get("/var/run/facts.yaml",local_path="facts/%(host)s.yaml")
+
+def chassis():
+ run("ipmi-chassis --get-chassis-status")
+
+def newvm(fqdn,ip,domain):
+ run("vmbuilder kvm ubuntu --domain %s --dest /var/lib/libvirt/images/%s.img --arch x86_64 --hostname %s --mem 512 --ip %s --addpkg openssh-server" % (domain,fqdn,fqdn,ip))
diff --git a/fabfile/__init__.pyc b/fabfile/__init__.pyc
new file mode 100644
index 0000000..d66ff5d
--- /dev/null
+++ b/fabfile/__init__.pyc
Binary files differ
diff --git a/global/overlay/etc/cosmos/keys/.placeholder b/global/overlay/etc/cosmos/keys/.placeholder
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/global/overlay/etc/cosmos/keys/.placeholder
diff --git a/global/overlay/etc/cron.d/cosmos b/global/overlay/etc/cron.d/cosmos
new file mode 100644
index 0000000..b157bde
--- /dev/null
+++ b/global/overlay/etc/cron.d/cosmos
@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+*/15 * * * * root test -f /etc/no-automatic-cosmos || (cosmos update && cosmos apply)
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
new file mode 100644
index 0000000..d8ad043
--- /dev/null
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -0,0 +1,11 @@
+#
+# name source (puppetlabs fq name or git url) upgrade (yes/no)
+#
+concat puppetlabs/concat no
+stdlib puppetlabs/stdlib no
+ufw attachmentgenie/ufw no
+apt puppetlabs/apt no
+vcsrepo puppetlabs/vcsrepo no
+xinetd puppetlabs/xinetd no
+#golang elithrar/golang yes
+#python git://github.com/stankevich/puppet-python.git yes
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
new file mode 100644
index 0000000..d9dc495
--- /dev/null
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -0,0 +1,2 @@
+'ns[0-9]?.mnt.se$':
+ nameserver:
diff --git a/global/overlay/etc/puppet/cosmos_enc.py b/global/overlay/etc/puppet/cosmos_enc.py
new file mode 100755
index 0000000..63c3a66
--- /dev/null
+++ b/global/overlay/etc/puppet/cosmos_enc.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+import sys
+import yaml
+import os
+import re
+
+rules_path = os.environ.get("COSMOS_RULES_PATH","/etc/puppet")
+
+node_name = sys.argv[1]
+
+rules = dict()
+for p in rules_path.split(":"):
+ rules_file = os.path.join(p,"cosmos-rules.yaml")
+ if os.path.exists(rules_file):
+ with open(rules_file) as fd:
+ rules.update(yaml.load(fd))
+
+classes = dict()
+for reg,cls in rules.iteritems():
+ if re.search(reg,node_name):
+ classes.update(cls)
+
+print yaml.dump(dict(classes=classes))
diff --git a/global/overlay/etc/puppet/hiera.yaml b/global/overlay/etc/puppet/hiera.yaml
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/global/overlay/etc/puppet/hiera.yaml
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
new file mode 100644
index 0000000..c276f84
--- /dev/null
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -0,0 +1,52 @@
+# This manifest is managed using cosmos
+
+Exec {
+ path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+}
+
+# include some of this stuff for additional features
+
+#include cosmos::tools
+#include cosmos::motd
+#include cosmos::ntp
+#include cosmos::rngtools
+#include cosmos::preseed
+include ufw
+include apt
+include cosmos
+
+# you need a default node
+
+node default {
+
+}
+
+# edit and uncomment to manage ssh root keys in a simple way
+
+#class { 'cosmos::access':
+# keys => [
+# "ssh-rsa ..."
+# ]
+#}
+
+# example config for the nameserver class which is matched in cosmos-rules.yaml
+
+#class nameserver {
+# package {'bind9':
+# ensure => latest
+# }
+# service {'bind9':
+# ensure => running
+# }
+# ufw::allow { "allow-dns-udp":
+# ip => 'any',
+# port => 53,
+# proto => "udp"
+# }
+# ufw::allow { "allow-dns-tcp":
+# ip => 'any',
+# port => 53,
+# proto => "tcp"
+# }
+#}
+
diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf
new file mode 100644
index 0000000..0ba85f4
--- /dev/null
+++ b/global/overlay/etc/puppet/puppet.conf
@@ -0,0 +1,14 @@
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+templatedir=$confdir/templates
+node_terminus = exec
+external_nodes = /etc/puppet/cosmos_enc.py
+
+[master]
+# These are needed when the puppetmaster is run by passenger
+# and can safely be removed if webrick is used.
+ssl_client_header = SSL_CLIENT_S_DN
diff --git a/global/post-tasks.d/010fix-ssh-perms b/global/post-tasks.d/010fix-ssh-perms
new file mode 100755
index 0000000..87636d7
--- /dev/null
+++ b/global/post-tasks.d/010fix-ssh-perms
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+if test -d /root/.ssh && \
+ test `stat -t /root/.ssh | cut -d\ -f5` != 0; then
+ chown root.root /root/.ssh
+fi
+
+if test -d /root/.ssh && \
+ test `stat -c %a /root/.ssh` != 700; then
+ chmod 700 /root/.ssh
+fi
+
+if test -f /root/.ssh/authorized_keys; then
+ if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
+ chown root.root /root/.ssh/authorized_keys
+ fi
+ if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
+ chmod 600 /root/.ssh/authorized_keys
+ fi
+fi
diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust
new file mode 100755
index 0000000..ad2c066
--- /dev/null
+++ b/global/post-tasks.d/015cosmos-trust
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+for k in /etc/cosmos/keys/*.pub; do
+ fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'`
+ cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k
+done
+
+for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
+ seen="no"
+ for k in /etc/cosmos/keys/*.pub; do
+ cosmos gpg --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes"
+ done
+ if [ "x$seen" = "xno" ]; then
+ cosmos gpg --yes --batch --delete-key $fp || true
+ fi
+done
diff --git a/global/post-tasks.d/020reports b/global/post-tasks.d/020reports
new file mode 100755
index 0000000..091a236
--- /dev/null
+++ b/global/post-tasks.d/020reports
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rm -f /var/run/facts.json
+facter -p -y > /var/run/facts.yaml
diff --git a/global/post-tasks.d/030puppet b/global/post-tasks.d/030puppet
new file mode 100755
index 0000000..6b1d33a
--- /dev/null
+++ b/global/post-tasks.d/030puppet
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [ "x$COSMOS_VERBOSE" = "xy" ]; then
+ args="--verbose"
+else
+ args="--logdest=syslog"
+fi
+
+if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then
+ for m in `find /etc/puppet/manifests -name \*.pp`; do
+ puppet apply $args $m
+ done
+fi
diff --git a/global/post-tasks.d/099autoremove b/global/post-tasks.d/099autoremove
new file mode 100755
index 0000000..2cc6996
--- /dev/null
+++ b/global/post-tasks.d/099autoremove
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+apt-get -qq update
+apt-get -qq -y autoremove
diff --git a/global/post-tasks.d/999reboot b/global/post-tasks.d/999reboot
new file mode 100755
index 0000000..5331446
--- /dev/null
+++ b/global/post-tasks.d/999reboot
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+test -f /var/run/reboot-required -a ! -f /etc/cosmos-manual-reboot && reboot
diff --git a/global/pre-tasks.d/020common-tools b/global/pre-tasks.d/020common-tools
new file mode 100755
index 0000000..eaca6ea
--- /dev/null
+++ b/global/pre-tasks.d/020common-tools
@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+set -e
+
+stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp"
+
+if ! test -f $stamp; then
+ apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp
+ update-alternatives --set editor /usr/bin/vim.basic
+
+ mkdir -p `dirname $stamp`
+ touch $stamp
+fi
diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet
new file mode 100755
index 0000000..2dc0b80
--- /dev/null
+++ b/global/pre-tasks.d/030puppet
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+set -e
+
+stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"
+
+if ! test -f $stamp -a -f /usr/bin/puppet; then
+ codename=`lsb_release -c| awk '{print $2}'`
+ wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb
+ dpkg -i puppetlabs-release-${codename}.deb
+ rm -f puppetlabs-release-${codename}.deb*
+ apt-get update
+ apt-get -y install puppet-common
+
+ mkdir -p `dirname $stamp`
+ touch $stamp
+fi
+
+python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml
+
+if [ -f /etc/puppet/cosmos-modules.conf ]; then
+ grep -E -v "^#" /etc/puppet/cosmos-modules.conf | (
+ cd /etc/puppet/modules && while read module src update; do
+ if [ ! -d /etc/puppet/modules/$module ]; then
+ echo $src | grep -q "://" && git clone $src $module || puppet module install $src
+ else
+ if [ "x$update" = "xyes" ]; then
+ echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src
+ fi
+ fi
+ done)
+fi