diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rwxr-xr-x | addhost | 2 | ||||
| -rwxr-xr-x | bump-tag | 28 | ||||
| -rw-r--r-- | fabfile/__init__.py | 2 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/cosmos-modules.conf | 46 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/puppet.conf | 1 | ||||
| -rwxr-xr-x | global/overlay/usr/local/bin/run-cosmos | 52 | ||||
| -rwxr-xr-x | global/overlay/usr/local/sbin/cosmos_vm | 8 | ||||
| -rwxr-xr-x | global/post-tasks.d/015cosmos-trust | 12 | ||||
| -rwxr-xr-x | global/post-tasks.d/018packages | 6 | ||||
| -rwxr-xr-x | global/post-tasks.d/030puppet | 4 | ||||
| -rwxr-xr-x | global/post-tasks.d/099autoremove | 6 | ||||
| -rwxr-xr-x | global/pre-tasks.d/030puppet | 10 | 
13 files changed, 115 insertions, 63 deletions
| @@ -1,2 +1 @@  *.pyc -**/*.pyc @@ -45,7 +45,7 @@ if [ ! -d $cmd_hostname ]; then  fi  if [ "$cmd_do_bootstrap" = "yes" ]; then -   scp apt/cosmos_1.2-2_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname: +   scp apt/cosmos_1.5-1_all.deb apt/bootstrap-cosmos.sh root@$cmd_hostname:     ssh root@$cmd_hostname ./bootstrap-cosmos.sh $cmd_fqdn $rrepo $rtag     ssh root@$cmd_hostname cosmos update      ssh root@$cmd_hostname cosmos apply @@ -1,19 +1,30 @@ -#!/bin/sh +#!/bin/bash  set -e  test -f cosmos.conf && . ./cosmos.conf +echo "Fetching any updates from server:"  git pull +echo "" -deftag=`basename $PWD` +if [ "x$1" = "x" ]; then +    deftag=`basename $PWD` +else +    deftag="$1" +fi  tagpfx=${tag:="$deftag"}  last_tag=`git tag -l "${tagpfx}-*"|sort|tail -1` -git tag -v $last_tag +echo "Verifying last tag $last_tag:" +(git tag -v $last_tag | grep ^gpg:) || true +# again to not mask exit status of git with grep +git tag -v $last_tag > /dev/null 2>&1 +echo "" -PAGER=cat git diff $last_tag..master +echo "Differences between tag $last_tag and what you are about to sign:" +PAGER=cat git diff --color $last_tag..master  iter=1  ok= @@ -29,8 +40,13 @@ while test -z "$ok"; do      esac  done -echo using new tag $this_tag -echo ONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE +if [ "$deftag" != "$tagpfx" ]; then +    echo -e "Using new tag \e[94m$this_tag\e[0m according to pattern in cosmos.conf" +else +    echo -e "Using new tag \e[94m$this_tag\e[0m" +fi + +echo -e "\e[1mONLY SIGN IF YOU APPROVE OF VERIFICATION AND DIFF ABOVE\e[0m"  # GITTAGEXTRA is for putting things like "-u 2117364A" diff --git a/fabfile/__init__.py b/fabfile/__init__.py index 3933104..8db5748 100644 --- a/fabfile/__init__.py +++ b/fabfile/__init__.py @@ -17,7 +17,7 @@ def all():      env.hosts = cosmos_db()['members']['all']  def cosmos(): -    run("/usr/local/bin/run-cosmos -v"); +    run("/usr/local/bin/run-cosmos");  def upgrade():      run("apt-get -qq update && apt-get -y -q dist-upgrade"); diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index e4dc597..991a570 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -1,21 +1,18 @@ +#  # name source (puppetlabs fq name or git url) upgrade (yes/no) tag-pattern  #  # NOTE that Git packages MUST be tagged with signatures by someone  # in the Cosmos trust list. That is why all the URLs point to forked  # versions in the SUNET github organization.  # -concat          git://github.com/SUNET/puppetlabs-concat.git yes sunet-* -stdlib          git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-* -cosmos          git://github.com/SUNET/puppet-cosmos.git yes sunet-* -ufw             git://github.com/SUNET/puppet-module-ufw.git yes sunet-* -apt             git://github.com/SUNET/puppetlabs-apt.git yes sunet-* -vcsrepo         git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-* -xinetd          git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-* -hiera-gpg       git://github.com/SUNET/hiera-gpg.git yes sunet-* -augeas 		git://github.com/SUNET/puppet-augeas.git yes sunet-* -docker          git://github.com/SUNET/garethr-docker.git yes sunet-* -sunet 		git://github.com/SUNET/puppet-sunet.git yes sunet-* - +concat          https://github.com/SUNET/puppetlabs-concat.git yes sunet-* +stdlib          https://github.com/SUNET/puppetlabs-stdlib.git yes sunet-* +cosmos          https://github.com/SUNET/puppet-cosmos.git yes sunet-* +ufw             https://github.com/SUNET/puppet-module-ufw.git yes sunet_dev-* +apt             https://github.com/SUNET/puppetlabs-apt.git yes sunet_dev-* +vcsrepo         https://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-* +xinetd          https://github.com/SUNET/puppetlabs-xinetd.git yes sunet-* +hiera-gpg       https://github.com/SUNET/hiera-gpg.git yes sunet-*  #  # Alternate sources you might or might not want to use:  #concat          puppetlabs/concat no @@ -24,15 +21,16 @@ sunet 		git://github.com/SUNET/puppet-sunet.git yes sunet-*  #apt             puppetlabs/apt no  #vcsrepo         puppetlabs/vcsrepo no  #xinetd          puppetlabs/xinetd no -#cosmos          git://github.com/leifj/puppet-cosmos.git yes -#python          git://github.com/SUNET/puppet-python.git yes sunet-* -#erlang          git://github.com/SUNET/garethr-erlang.git yes sunet-* -#rabbitmq        git://github.com/SUNET/puppetlabs-rabbitmq.git yes sunet_dev-* -#pound           git://github.com/SUNET/puppet-pound.git yes sunet_dev-* -#augeas          git://github.com/SUNET/puppet-augeas.git yes sunet-* -#bastion         git://github.com/SUNET/puppet-bastion.git yes sunet-* -#postgresql      git://github.com/SUNET/puppetlabs-postgresql.git yes sunet_dev-* -#munin           git://github.com/SUNET/ssm-munin.git yes sunet-* -#nagios          git://github.com/SUNET/puppet-nagios.git yes sunet-* -#staging         git://github.com/SUNET/puppet-staging.git yes sunet-* -#apparmor        git://github.com/SUNET/puppet-apparmor.git yes sunet-* +#cosmos          https://github.com/SUNET/puppet-cosmos.git yes +#python          https://github.com/SUNET/puppet-python.git yes sunet-* +#erlang          https://github.com/SUNET/garethr-erlang.git yes sunet-* +#rabbitmq        https://github.com/SUNET/puppetlabs-rabbitmq.git yes sunet_dev-* +#pound           https://github.com/SUNET/puppet-pound.git yes sunet_dev-* +#augeas          https://github.com/SUNET/puppet-augeas.git yes sunet-* +#bastion         https://github.com/SUNET/puppet-bastion.git yes sunet-* +#postgresql      https://github.com/SUNET/puppetlabs-postgresql.git yes sunet_dev-* +#munin           https://github.com/SUNET/ssm-munin.git yes sunet-* +#nagios          https://github.com/SUNET/puppet-nagios.git yes sunet-* +#staging         https://github.com/SUNET/puppet-staging.git yes sunet-* +#apparmor        https://github.com/SUNET/puppet-apparmor.git yes sunet-* +#docker          https://github.com/SUNET/garethr-docker.git yes sunet_dev-* diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf index 1f834e8..88871f0 100644 --- a/global/overlay/etc/puppet/puppet.conf +++ b/global/overlay/etc/puppet/puppet.conf @@ -4,6 +4,7 @@ vardir=/var/lib/puppet  ssldir=/var/lib/puppet/ssl  rundir=/var/run/puppet  factpath=$vardir/lib/facter +templatedir=$confdir/templates  node_terminus = exec  external_nodes = /etc/puppet/cosmos_enc.py  basemodulepath = /etc/puppet/modules:/etc/puppet/cosmos-modules:/usr/share/puppet/modules diff --git a/global/overlay/usr/local/bin/run-cosmos b/global/overlay/usr/local/bin/run-cosmos index a37d49f..5f2cbc1 100755 --- a/global/overlay/usr/local/bin/run-cosmos +++ b/global/overlay/usr/local/bin/run-cosmos @@ -1,22 +1,46 @@ -#!/bin/sh +#!/bin/bash  #  # Simplify running cosmos, with serialization if flock is available.  # -set -e +readonly PROGNAME=$(basename "$0") +readonly LOCKFILE_DIR=/tmp +readonly LOCK_FD=200 -FLOCK=`which flock` +lock() { +    local prefix=$1 +    local fd=${2:-$LOCK_FD} +    local lock_file=$LOCKFILE_DIR/$prefix.lock -if [ -x "$FLOCK" ]; then -    ($FLOCK --exclusive --wait 60 9 || exit 1 -	cosmos $* update -	cosmos $* apply -    )9>/var/lock/run-cosmos -else -    cosmos $* update -    cosmos $* apply -fi +    # create lock file +    eval "exec $fd>$lock_file" + +    # acquier the lock +    flock -n $fd \ +        && return 0 \ +        || return 1 +} + +eexit() { +    local error_str="$@" + +    echo $error_str +    exit 1 +} -touch /var/run/last-cosmos-ok.stamp +main () { +   lock $PROGNAME || eexit "Only one instance of $PROGNAME can run at one time." +   cosmos $* update +   cosmos $* apply -find /var/lib/puppet/reports/ -type f -mtime +10 | xargs rm -f +   touch /var/run/last-cosmos-ok.stamp + +   find /var/lib/puppet/reports/ -type f -mtime +10 | xargs rm -f +} + +main $* + +if [ -f /cosmos-reboot ]; then +   rm -f /cosmos-reboot +   reboot +fi diff --git a/global/overlay/usr/local/sbin/cosmos_vm b/global/overlay/usr/local/sbin/cosmos_vm index bf27576..5eec8f7 100755 --- a/global/overlay/usr/local/sbin/cosmos_vm +++ b/global/overlay/usr/local/sbin/cosmos_vm @@ -9,8 +9,8 @@ hostname="default"  bridge="br0"  cpus="1"  mem="1024" -repo="git://code.mnt.se/mnt-cosmos.git" -tag="eduid-cosmos" +repo="https://yourhost/myproj-cosmos.git" +tag="cosmos-ops"  ip=""  gateway=""  netmask="" @@ -63,7 +63,7 @@ ssh_authorized_keys:  runcmd:     - ["mkdir","/tmp/seed"]     - ["mount","/dev/vdb","/tmp/seed"] -   - ["cp","/tmp/seed/bootstrap-cosmos.sh","/tmp/seed/cosmos_1.2-2_all.deb","/root"] +   - ["cp","/tmp/seed/bootstrap-cosmos.sh","/tmp/seed/cosmos_1.5-1_all.deb","/root"]     - ["cd","/root"]     - "cd /root && /root/bootstrap-cosmos.sh ${hostname} ${repo} ${tag}" @@ -112,7 +112,7 @@ fi  mcopy -i ${seed} ${user_data} ::user-data 2>/dev/null  mcopy -i ${seed} ${meta_data} ::meta-data 2>/dev/null -mcopy -i ${seed} /etc/cosmos/apt/bootstrap-cosmos.sh /etc/cosmos/apt/cosmos_1.2-2_all.deb :: +mcopy -i ${seed} /etc/cosmos/apt/bootstrap-cosmos.sh /etc/cosmos/apt/cosmos_1.5-1_all.deb ::  mv ${seed} /var/lib/libvirt/images/  virsh pool-refresh default diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust index 447d875..74835e0 100755 --- a/global/post-tasks.d/015cosmos-trust +++ b/global/post-tasks.d/015cosmos-trust @@ -4,11 +4,19 @@ if [ -z "$COSMOS_KEYS" ]; then     COSMOS_KEYS=/etc/cosmos/keys  fi +# Install new keys discovered in the $COSMOS_KEYS directory  for k in $COSMOS_KEYS/*.pub; do -   fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'` -   cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k +   fp=`cosmos gpg --with-colons --with-fingerprint < $k | awk -F: '$1 == "pub" {print $5}'` +   fp_in_db=`cosmos gpg --with-colons --fingerprint | grep ":$fp:"` +   if [ "x`echo $fp_in_db | grep '^pub:e:'`" != "x" ]; then +       echo "$0: Key expired, will re-import it from $k" +       cosmos gpg --fingerprint $fp +   fi +   # The removal of any ^pub:e: entrys means to ignore expired keys - thereby importing them again. +   echo $fp_in_db | grep -v "^pub:e:" | grep -q ":$fp:" || cosmos gpg --import < $k  done +# Delete keys no longer present in $COSMOS_KEYS directory  for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do     seen="no"     for k in $COSMOS_KEYS/*.pub; do diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages index 3e2e26e..9370e10 100755 --- a/global/post-tasks.d/018packages +++ b/global/post-tasks.d/018packages @@ -24,8 +24,8 @@ if [ -f $CONFIG ]; then    # First pass to clone any new modules, and update those marked for updating.    grep -E -v "^#" $CONFIG | (      while read module src update pattern; do -      # We only support git:// urls atm -      if [ "${src:0:6}" = "git://" ]; then +      # We only support git:// urls and https:// urls atm +      if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then          if [ ! -d $CACHE_DIR/scm/$module ]; then            git clone -q $src $CACHE_DIR/scm/$module          elif [ -d $CACHE_DIR/scm/$module/.git ]; then @@ -63,7 +63,7 @@ if [ -f $CONFIG ]; then    grep -E -v "^#" $CONFIG | (      while read module src update pattern; do        # We only support git:// urls atm -      if [ "${src:0:6}" = "git://" ]; then +      if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then          # Verify git tag          cd $CACHE_DIR/scm/$module          TAG=$(git tag -l "${pattern:-*}" | sort | tail -1) diff --git a/global/post-tasks.d/030puppet b/global/post-tasks.d/030puppet index 6742949..b94b9ff 100755 --- a/global/post-tasks.d/030puppet +++ b/global/post-tasks.d/030puppet @@ -1,13 +1,13 @@  #!/bin/sh  if [ "x$COSMOS_VERBOSE" = "xy" ]; then -   args="--verbose" +   args="--verbose --show_diff"  else     args="--logdest=syslog"  fi  if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then     for m in `find /etc/puppet/manifests -name \*.pp`; do -      puppet apply $args < $m +      puppet apply $args $m     done  fi diff --git a/global/post-tasks.d/099autoremove b/global/post-tasks.d/099autoremove index 2cc6996..74b0aa4 100755 --- a/global/post-tasks.d/099autoremove +++ b/global/post-tasks.d/099autoremove @@ -1,4 +1,6 @@  #!/bin/sh -apt-get -qq update -apt-get -qq -y autoremove +if (( $RANDOM % 20 == 0)); then +    apt-get -qq update +    apt-get -qq -y autoremove +fi diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet index cdc9989..ef08016 100755 --- a/global/pre-tasks.d/030puppet +++ b/global/pre-tasks.d/030puppet @@ -9,9 +9,13 @@ stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"  if ! test -f $stamp -a -f /usr/bin/puppet; then      codename=`lsb_release -c| awk '{print $2}'` -    wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb -    dpkg -i puppetlabs-release-${codename}.deb -    rm -f puppetlabs-release-${codename}.deb* +    puppetdeb="$COSMOS_REPO/apt/puppetlabs-release-${codename}.deb" +    if [ ! -f $puppetdeb ]; then +	echo "$0: Puppet deb for release $codename not found in $COSMOS_REPO/apt/" +	echo "    Get it from https://apt.puppetlabs.com/ and put it in the Cosmos repo." +	exit 1 +    fi +    dpkg -i $puppetdeb      apt-get update      apt-get -y install puppet-common | 
