summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet
diff options
context:
space:
mode:
authorLeif Johansson <leifj@sunet.se>2015-03-22 17:11:23 +0100
committerLeif Johansson <leifj@sunet.se>2015-03-22 17:11:23 +0100
commit1709cf98ed0c2283c9f81f1f76302f7a539a62c3 (patch)
tree57e78f2d34a3b3c895debe3b4b16a57c57b2dfad /global/overlay/etc/puppet
parent4d899d22b16dfe5412a0534da2a3f3b8ce95f491 (diff)
Diffstat (limited to 'global/overlay/etc/puppet')
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp27
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp42
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp56
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp12
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp19
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb78
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb7
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb5
8 files changed, 219 insertions, 27 deletions
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 8bf5aee..bec8359 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -27,33 +27,6 @@ node default {
}
-class dockerhost {
- apt::source {'docker_official':
- location => 'https://get.docker.com/ubuntu',
- release => 'docker',
- repos => 'main',
- key => 'A88D21E9',
- include_src => false
- }
- package {'lxc-docker':
- ensure => latest
- }
- class {'docker':
- manage_package => false
- }
-}
-
-class webserver {
- ufw::allow { "allow-http":
- ip => 'any',
- port => 80
- }
- ufw::allow { "allow-https":
- ip => 'any',
- port => 443
- }
-}
-
class mailclient ($domain) {
cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain}
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
new file mode 100644
index 0000000..8df416b
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -0,0 +1,42 @@
+# Common use of docker::run
+define sunet::docker_run(
+ $image,
+ $imagetag = hiera('sunet_docker_default_tag', 'latest'),
+ $volumes = [],
+ $ports = [],
+ $env = [],
+ $net = 'bridge',
+ $extra_parameters = [],
+) {
+
+ # Make container use unbound resolver on dockerhost
+ # If docker was just installed, facter will not know the IP of docker0. Thus the pick.
+ $dns = $net ? {
+ 'host' => [], # docker refuses --dns with --net host
+ default => [pick($::ipaddress_docker0, '172.17.42.1')],
+ }
+
+ $image_tag = "${image}:${imagetag}"
+ docker::image { $image_tag : } ->
+
+ docker::run {$name :
+ use_name => true,
+ image => $image_tag,
+ volumes => flatten([$volumes,
+ '/etc/passwd:/etc/passwd:ro', # uid consistency
+ '/etc/group:/etc/group:ro', # gid consistency
+ ]),
+ ports => $ports,
+ env => $env,
+ net => $net,
+ extra_parameters => flatten([$extra_parameters,
+ '--rm',
+ ]),
+ dns => $dns,
+ verify_checksum => false, # Rely on registry security for now. eduID risk #31.
+ pre_start => 'run-parts /usr/local/etc/docker.d',
+ post_start => 'run-parts /usr/local/etc/docker.d',
+ pre_stop => 'run-parts /usr/local/etc/docker.d',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
new file mode 100644
index 0000000..67f75f9
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
@@ -0,0 +1,56 @@
+# Install docker from https://get.docker.com/ubuntu
+class sunet::dockerhost {
+ apt::source {'docker_official':
+ location => 'https://get.docker.com/ubuntu',
+ release => 'docker',
+ repos => 'main',
+ key => 'A88D21E9',
+ include_src => false
+ }
+ package {'lxc-docker':
+ ensure => latest,
+ }
+
+ class {'docker':
+ manage_package => false,
+ }
+
+ package { 'unbound': ensure => 'latest' }
+ service { 'unbound': ensure => 'running' }
+
+ file { '/usr/local/etc/docker.d/20unbound':
+ ensure => file,
+ path => '/usr/local/etc/docker.d/20unbound',
+ mode => '0755',
+ content => template('sunet/dockerhost/20unbound.erb'),
+ }
+
+ file { '/etc/logrotate.d/docker-containers':
+ ensure => file,
+ path => '/etc/logrotate.d/docker-containers',
+ mode => '0644',
+ content => template('sunet/dockerhost/logrotate_docker-containers.erb'),
+ }
+
+ file { '/etc/unbound/unbound.conf.d/docker.conf':
+ ensure => file,
+ path => '/etc/unbound/unbound.conf.d/docker.conf',
+ mode => '0644',
+ content => template('sunet/dockerhost/unbound_docker.conf.erb'),
+ notify => Service['unbound'],
+ }
+
+ ufw::allow { 'allow-docker-resolving_udp':
+ port => '53',
+ ip => $::ipaddress_docker0, # both IPv4 and IPv6
+ from => '172.16.0.0/12',
+ proto => 'udp',
+ }
+ ufw::allow { 'allow-docker-resolving_tcp':
+ port => '53',
+ ip => $::ipaddress_docker0, # both IPv4 and IPv6
+ from => '172.16.0.0/12',
+ proto => 'tcp',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
new file mode 100644
index 0000000..9956e00
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
@@ -0,0 +1,12 @@
+define sunet::encrypted_swap() {
+
+ package { 'ecryptfs-utils':
+ ensure => 'installed'
+ } ->
+
+ exec {'sunet_ecryptfs_setup_swap':
+ command => '/usr/bin/ecryptfs-setup-swap -f',
+ onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
new file mode 100644
index 0000000..8ff7325
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
@@ -0,0 +1,19 @@
+define sunet::ethernet_bonding() {
+ # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1,
+ # for all physical hosts that are running Ubuntu.
+ #
+ # Bonding requires setup in /etc/network/interfaces as well.
+ #
+ if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' {
+ if $::operatingsystemrelease <= '12.04' {
+ package {'ifenslave': ensure => 'present' }
+ } else {
+ package {'ifenslave-2.6': ensure => 'present' }
+ }
+
+ file_line { 'load_module_at_boot':
+ path => '/etc/modules',
+ line => 'bonding',
+ }
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb
new file mode 100755
index 0000000..204e97c
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# This script registers/removes docker containers IP addresses
+# from the local unbound resolver in the post-start / pre-stop actions.
+#
+# For action pre-start, it checks if there is a CID file that needs to be
+# cleaned away to not prevent the new container from starting.
+#
+
+# sunet_docker_pre-post: CID d05a0842ce1700ee3328d42ccf5c2f29cc3d71fa6dcc6a72f994f8d032453be7
+# sunet_docker_pre-post: ACTION pre-stop
+# sunet_docker_pre-post: IMAGE docker.sunet.se/eduid/eduid-mm-service
+# sunet_docker_pre-post: NAME eduid-mm-service
+#for e in "CID" "ACTION" "IMAGE" "NAME"; do
+# logger -t sunet_docker_pre-post "$e `printenv $e`"
+#done
+
+logtag="sunet_docker_pre-post[$ACTION]"
+logger -t "${logtag}" "$NAME ($IMAGE), CID: '$CID'"
+
+if [ "x$ACTION" = "xpre-start" ]; then
+ if [ -f "${CIDFILE}" ]; then
+ # Clean away the CID file in pre-start if the container is in fact not running
+ docker inspect "${CID}" 2>/dev/null || (
+ logger -t "${logtag}" "Removing left-over CID file '${CIDFILE}' (CID ${CID})";
+ rm -f "${CIDFILE}"
+ )
+ fi
+
+ # Remove any stopped container with this name to prevent the docker start script
+ # from just restarting that one (instead of starting the currently tagged image,
+ # which might be newer than the one used by the old container)
+ docker inspect "${NAME}" && docker rm "${NAME}"
+ exit 0
+fi
+
+if [ "x${CID}" = "x" ]; then
+ CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null)
+
+ if [ "x${CID}" = "x" ]; then
+ # sometimes containers start slow...
+ for retry in 1 2 3 4 5; do
+ sleep 1
+ logger -t "${logtag}" "Retrying CID lookup for ${NAME}"
+ CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null)
+ if [ "x${CID}" != "x" ]; then
+ break
+ fi
+ done
+ fi
+
+ if [ "x${CID}" = "x" ]; then
+ logger -t "${logtag}" "No CID provided or found! Aborting."
+ exit 0
+ fi
+
+ logger -t "${logtag}" "Found CID ${CID} using docker inspect on '${NAME}'"
+fi
+
+# Remove registered name.
+# XXX this does NOT handle multiple instances of the same image running on
+# a single Docker host!
+logger -t "${logtag}" "Un-registering ${NAME}.docker"
+unbound-control local_data_remove "${NAME}.docker." > /dev/null
+
+# If it is a container starting up, register it's IP address
+if [ "x$ACTION" = "xpost-start" ]; then
+ ip=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "${CID}" 2>/dev/null)
+ if [ "x${ip}" = "x" ]; then
+ logger -t "${logtag}" "Failed to get IP from CID ${CID}. Aborting."
+ exit 0
+ fi
+ unbound-control local_data "${NAME}.docker. 60 IN A ${ip}" > /dev/null
+ # Register reverse pointer - there is no local_data_ptr command unfortunately
+ ptr=$(echo "${ip}" | awk -F . '{print $4"."$3"."$2"."$1".in-addr.arpa."}')
+ unbound-control local_data "${ptr} 60 IN PTR ${NAME}.docker."
+ logger -t "${logtag}" "Registered ${NAME}.docker at ${ip}"
+fi
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb
new file mode 100644
index 0000000..6cf5fe9
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb
@@ -0,0 +1,7 @@
+/var/lib/docker/containers/*/*.log {
+ rotate 7
+ daily
+ compress
+ delaycompress
+ copytruncate
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb
new file mode 100644
index 0000000..f6bb382
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb
@@ -0,0 +1,5 @@
+server:
+ local-zone: docker. static
+ interface: 127.0.0.1
+ interface: 172.17.42.1
+ access-control: 172.16.0.0/12 allow