diff options
author | Leif Johansson <leifj@sunet.se> | 2015-03-22 17:11:23 +0100 |
---|---|---|
committer | Leif Johansson <leifj@sunet.se> | 2015-03-22 17:11:23 +0100 |
commit | 1709cf98ed0c2283c9f81f1f76302f7a539a62c3 (patch) | |
tree | 57e78f2d34a3b3c895debe3b4b16a57c57b2dfad /global/overlay/etc/puppet | |
parent | 4d899d22b16dfe5412a0534da2a3f3b8ce95f491 (diff) |
trust anchorsct-ops-2015-03-22-v02
Diffstat (limited to 'global/overlay/etc/puppet')
8 files changed, 219 insertions, 27 deletions
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index 8bf5aee..bec8359 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -27,33 +27,6 @@ node default { } -class dockerhost { - apt::source {'docker_official': - location => 'https://get.docker.com/ubuntu', - release => 'docker', - repos => 'main', - key => 'A88D21E9', - include_src => false - } - package {'lxc-docker': - ensure => latest - } - class {'docker': - manage_package => false - } -} - -class webserver { - ufw::allow { "allow-http": - ip => 'any', - port => 80 - } - ufw::allow { "allow-https": - ip => 'any', - port => 443 - } -} - class mailclient ($domain) { cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain} } diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp new file mode 100644 index 0000000..8df416b --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp @@ -0,0 +1,42 @@ +# Common use of docker::run +define sunet::docker_run( + $image, + $imagetag = hiera('sunet_docker_default_tag', 'latest'), + $volumes = [], + $ports = [], + $env = [], + $net = 'bridge', + $extra_parameters = [], +) { + + # Make container use unbound resolver on dockerhost + # If docker was just installed, facter will not know the IP of docker0. Thus the pick. + $dns = $net ? { + 'host' => [], # docker refuses --dns with --net host + default => [pick($::ipaddress_docker0, '172.17.42.1')], + } + + $image_tag = "${image}:${imagetag}" + docker::image { $image_tag : } -> + + docker::run {$name : + use_name => true, + image => $image_tag, + volumes => flatten([$volumes, + '/etc/passwd:/etc/passwd:ro', # uid consistency + '/etc/group:/etc/group:ro', # gid consistency + ]), + ports => $ports, + env => $env, + net => $net, + extra_parameters => flatten([$extra_parameters, + '--rm', + ]), + dns => $dns, + verify_checksum => false, # Rely on registry security for now. eduID risk #31. + pre_start => 'run-parts /usr/local/etc/docker.d', + post_start => 'run-parts /usr/local/etc/docker.d', + pre_stop => 'run-parts /usr/local/etc/docker.d', + } + +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp new file mode 100644 index 0000000..67f75f9 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp @@ -0,0 +1,56 @@ +# Install docker from https://get.docker.com/ubuntu +class sunet::dockerhost { + apt::source {'docker_official': + location => 'https://get.docker.com/ubuntu', + release => 'docker', + repos => 'main', + key => 'A88D21E9', + include_src => false + } + package {'lxc-docker': + ensure => latest, + } + + class {'docker': + manage_package => false, + } + + package { 'unbound': ensure => 'latest' } + service { 'unbound': ensure => 'running' } + + file { '/usr/local/etc/docker.d/20unbound': + ensure => file, + path => '/usr/local/etc/docker.d/20unbound', + mode => '0755', + content => template('sunet/dockerhost/20unbound.erb'), + } + + file { '/etc/logrotate.d/docker-containers': + ensure => file, + path => '/etc/logrotate.d/docker-containers', + mode => '0644', + content => template('sunet/dockerhost/logrotate_docker-containers.erb'), + } + + file { '/etc/unbound/unbound.conf.d/docker.conf': + ensure => file, + path => '/etc/unbound/unbound.conf.d/docker.conf', + mode => '0644', + content => template('sunet/dockerhost/unbound_docker.conf.erb'), + notify => Service['unbound'], + } + + ufw::allow { 'allow-docker-resolving_udp': + port => '53', + ip => $::ipaddress_docker0, # both IPv4 and IPv6 + from => '172.16.0.0/12', + proto => 'udp', + } + ufw::allow { 'allow-docker-resolving_tcp': + port => '53', + ip => $::ipaddress_docker0, # both IPv4 and IPv6 + from => '172.16.0.0/12', + proto => 'tcp', + } + +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp new file mode 100644 index 0000000..9956e00 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp @@ -0,0 +1,12 @@ +define sunet::encrypted_swap() { + + package { 'ecryptfs-utils': + ensure => 'installed' + } -> + + exec {'sunet_ecryptfs_setup_swap': + command => '/usr/bin/ecryptfs-setup-swap -f', + onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap', + } + +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp new file mode 100644 index 0000000..8ff7325 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp @@ -0,0 +1,19 @@ +define sunet::ethernet_bonding() { + # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1, + # for all physical hosts that are running Ubuntu. + # + # Bonding requires setup in /etc/network/interfaces as well. + # + if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' { + if $::operatingsystemrelease <= '12.04' { + package {'ifenslave': ensure => 'present' } + } else { + package {'ifenslave-2.6': ensure => 'present' } + } + + file_line { 'load_module_at_boot': + path => '/etc/modules', + line => 'bonding', + } + } +} diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb new file mode 100755 index 0000000..204e97c --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb @@ -0,0 +1,78 @@ +#!/bin/bash +# +# This script registers/removes docker containers IP addresses +# from the local unbound resolver in the post-start / pre-stop actions. +# +# For action pre-start, it checks if there is a CID file that needs to be +# cleaned away to not prevent the new container from starting. +# + +# sunet_docker_pre-post: CID d05a0842ce1700ee3328d42ccf5c2f29cc3d71fa6dcc6a72f994f8d032453be7 +# sunet_docker_pre-post: ACTION pre-stop +# sunet_docker_pre-post: IMAGE docker.sunet.se/eduid/eduid-mm-service +# sunet_docker_pre-post: NAME eduid-mm-service +#for e in "CID" "ACTION" "IMAGE" "NAME"; do +# logger -t sunet_docker_pre-post "$e `printenv $e`" +#done + +logtag="sunet_docker_pre-post[$ACTION]" +logger -t "${logtag}" "$NAME ($IMAGE), CID: '$CID'" + +if [ "x$ACTION" = "xpre-start" ]; then + if [ -f "${CIDFILE}" ]; then + # Clean away the CID file in pre-start if the container is in fact not running + docker inspect "${CID}" 2>/dev/null || ( + logger -t "${logtag}" "Removing left-over CID file '${CIDFILE}' (CID ${CID})"; + rm -f "${CIDFILE}" + ) + fi + + # Remove any stopped container with this name to prevent the docker start script + # from just restarting that one (instead of starting the currently tagged image, + # which might be newer than the one used by the old container) + docker inspect "${NAME}" && docker rm "${NAME}" + exit 0 +fi + +if [ "x${CID}" = "x" ]; then + CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null) + + if [ "x${CID}" = "x" ]; then + # sometimes containers start slow... + for retry in 1 2 3 4 5; do + sleep 1 + logger -t "${logtag}" "Retrying CID lookup for ${NAME}" + CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null) + if [ "x${CID}" != "x" ]; then + break + fi + done + fi + + if [ "x${CID}" = "x" ]; then + logger -t "${logtag}" "No CID provided or found! Aborting." + exit 0 + fi + + logger -t "${logtag}" "Found CID ${CID} using docker inspect on '${NAME}'" +fi + +# Remove registered name. +# XXX this does NOT handle multiple instances of the same image running on +# a single Docker host! +logger -t "${logtag}" "Un-registering ${NAME}.docker" +unbound-control local_data_remove "${NAME}.docker." > /dev/null + +# If it is a container starting up, register it's IP address +if [ "x$ACTION" = "xpost-start" ]; then + ip=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "${CID}" 2>/dev/null) + if [ "x${ip}" = "x" ]; then + logger -t "${logtag}" "Failed to get IP from CID ${CID}. Aborting." + exit 0 + fi + unbound-control local_data "${NAME}.docker. 60 IN A ${ip}" > /dev/null + # Register reverse pointer - there is no local_data_ptr command unfortunately + ptr=$(echo "${ip}" | awk -F . '{print $4"."$3"."$2"."$1".in-addr.arpa."}') + unbound-control local_data "${ptr} 60 IN PTR ${NAME}.docker." + logger -t "${logtag}" "Registered ${NAME}.docker at ${ip}" +fi diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb new file mode 100644 index 0000000..6cf5fe9 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb @@ -0,0 +1,7 @@ +/var/lib/docker/containers/*/*.log { + rotate 7 + daily + compress + delaycompress + copytruncate +} diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb new file mode 100644 index 0000000..f6bb382 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb @@ -0,0 +1,5 @@ +server: + local-zone: docker. static + interface: 127.0.0.1 + interface: 172.17.42.1 + access-control: 172.16.0.0/12 allow |