summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'global/overlay/etc/puppet')
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf2
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp42
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp56
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp12
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp19
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb78
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb7
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb5
8 files changed, 2 insertions, 219 deletions
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index 20c6106..f27a90b 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -14,6 +14,8 @@ xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-*
hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-*
augeas git://github.com/SUNET/puppet-augeas.git yes sunet-*
docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-*
+sunet git://github.com/SUNET/puppet-sunet.git yes sunet-*
+
#
# Alternate sources you might or might not want to use:
#concat puppetlabs/concat no
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
deleted file mode 100644
index 8df416b..0000000
--- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
+++ /dev/null
@@ -1,42 +0,0 @@
-# Common use of docker::run
-define sunet::docker_run(
- $image,
- $imagetag = hiera('sunet_docker_default_tag', 'latest'),
- $volumes = [],
- $ports = [],
- $env = [],
- $net = 'bridge',
- $extra_parameters = [],
-) {
-
- # Make container use unbound resolver on dockerhost
- # If docker was just installed, facter will not know the IP of docker0. Thus the pick.
- $dns = $net ? {
- 'host' => [], # docker refuses --dns with --net host
- default => [pick($::ipaddress_docker0, '172.17.42.1')],
- }
-
- $image_tag = "${image}:${imagetag}"
- docker::image { $image_tag : } ->
-
- docker::run {$name :
- use_name => true,
- image => $image_tag,
- volumes => flatten([$volumes,
- '/etc/passwd:/etc/passwd:ro', # uid consistency
- '/etc/group:/etc/group:ro', # gid consistency
- ]),
- ports => $ports,
- env => $env,
- net => $net,
- extra_parameters => flatten([$extra_parameters,
- '--rm',
- ]),
- dns => $dns,
- verify_checksum => false, # Rely on registry security for now. eduID risk #31.
- pre_start => 'run-parts /usr/local/etc/docker.d',
- post_start => 'run-parts /usr/local/etc/docker.d',
- pre_stop => 'run-parts /usr/local/etc/docker.d',
- }
-
-}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
deleted file mode 100644
index 67f75f9..0000000
--- a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
+++ /dev/null
@@ -1,56 +0,0 @@
-# Install docker from https://get.docker.com/ubuntu
-class sunet::dockerhost {
- apt::source {'docker_official':
- location => 'https://get.docker.com/ubuntu',
- release => 'docker',
- repos => 'main',
- key => 'A88D21E9',
- include_src => false
- }
- package {'lxc-docker':
- ensure => latest,
- }
-
- class {'docker':
- manage_package => false,
- }
-
- package { 'unbound': ensure => 'latest' }
- service { 'unbound': ensure => 'running' }
-
- file { '/usr/local/etc/docker.d/20unbound':
- ensure => file,
- path => '/usr/local/etc/docker.d/20unbound',
- mode => '0755',
- content => template('sunet/dockerhost/20unbound.erb'),
- }
-
- file { '/etc/logrotate.d/docker-containers':
- ensure => file,
- path => '/etc/logrotate.d/docker-containers',
- mode => '0644',
- content => template('sunet/dockerhost/logrotate_docker-containers.erb'),
- }
-
- file { '/etc/unbound/unbound.conf.d/docker.conf':
- ensure => file,
- path => '/etc/unbound/unbound.conf.d/docker.conf',
- mode => '0644',
- content => template('sunet/dockerhost/unbound_docker.conf.erb'),
- notify => Service['unbound'],
- }
-
- ufw::allow { 'allow-docker-resolving_udp':
- port => '53',
- ip => $::ipaddress_docker0, # both IPv4 and IPv6
- from => '172.16.0.0/12',
- proto => 'udp',
- }
- ufw::allow { 'allow-docker-resolving_tcp':
- port => '53',
- ip => $::ipaddress_docker0, # both IPv4 and IPv6
- from => '172.16.0.0/12',
- proto => 'tcp',
- }
-
-}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
deleted file mode 100644
index 9956e00..0000000
--- a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
+++ /dev/null
@@ -1,12 +0,0 @@
-define sunet::encrypted_swap() {
-
- package { 'ecryptfs-utils':
- ensure => 'installed'
- } ->
-
- exec {'sunet_ecryptfs_setup_swap':
- command => '/usr/bin/ecryptfs-setup-swap -f',
- onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap',
- }
-
-}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
deleted file mode 100644
index 8ff7325..0000000
--- a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
+++ /dev/null
@@ -1,19 +0,0 @@
-define sunet::ethernet_bonding() {
- # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1,
- # for all physical hosts that are running Ubuntu.
- #
- # Bonding requires setup in /etc/network/interfaces as well.
- #
- if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' {
- if $::operatingsystemrelease <= '12.04' {
- package {'ifenslave': ensure => 'present' }
- } else {
- package {'ifenslave-2.6': ensure => 'present' }
- }
-
- file_line { 'load_module_at_boot':
- path => '/etc/modules',
- line => 'bonding',
- }
- }
-}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb
deleted file mode 100755
index 204e97c..0000000
--- a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-#
-# This script registers/removes docker containers IP addresses
-# from the local unbound resolver in the post-start / pre-stop actions.
-#
-# For action pre-start, it checks if there is a CID file that needs to be
-# cleaned away to not prevent the new container from starting.
-#
-
-# sunet_docker_pre-post: CID d05a0842ce1700ee3328d42ccf5c2f29cc3d71fa6dcc6a72f994f8d032453be7
-# sunet_docker_pre-post: ACTION pre-stop
-# sunet_docker_pre-post: IMAGE docker.sunet.se/eduid/eduid-mm-service
-# sunet_docker_pre-post: NAME eduid-mm-service
-#for e in "CID" "ACTION" "IMAGE" "NAME"; do
-# logger -t sunet_docker_pre-post "$e `printenv $e`"
-#done
-
-logtag="sunet_docker_pre-post[$ACTION]"
-logger -t "${logtag}" "$NAME ($IMAGE), CID: '$CID'"
-
-if [ "x$ACTION" = "xpre-start" ]; then
- if [ -f "${CIDFILE}" ]; then
- # Clean away the CID file in pre-start if the container is in fact not running
- docker inspect "${CID}" 2>/dev/null || (
- logger -t "${logtag}" "Removing left-over CID file '${CIDFILE}' (CID ${CID})";
- rm -f "${CIDFILE}"
- )
- fi
-
- # Remove any stopped container with this name to prevent the docker start script
- # from just restarting that one (instead of starting the currently tagged image,
- # which might be newer than the one used by the old container)
- docker inspect "${NAME}" && docker rm "${NAME}"
- exit 0
-fi
-
-if [ "x${CID}" = "x" ]; then
- CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null)
-
- if [ "x${CID}" = "x" ]; then
- # sometimes containers start slow...
- for retry in 1 2 3 4 5; do
- sleep 1
- logger -t "${logtag}" "Retrying CID lookup for ${NAME}"
- CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null)
- if [ "x${CID}" != "x" ]; then
- break
- fi
- done
- fi
-
- if [ "x${CID}" = "x" ]; then
- logger -t "${logtag}" "No CID provided or found! Aborting."
- exit 0
- fi
-
- logger -t "${logtag}" "Found CID ${CID} using docker inspect on '${NAME}'"
-fi
-
-# Remove registered name.
-# XXX this does NOT handle multiple instances of the same image running on
-# a single Docker host!
-logger -t "${logtag}" "Un-registering ${NAME}.docker"
-unbound-control local_data_remove "${NAME}.docker." > /dev/null
-
-# If it is a container starting up, register it's IP address
-if [ "x$ACTION" = "xpost-start" ]; then
- ip=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "${CID}" 2>/dev/null)
- if [ "x${ip}" = "x" ]; then
- logger -t "${logtag}" "Failed to get IP from CID ${CID}. Aborting."
- exit 0
- fi
- unbound-control local_data "${NAME}.docker. 60 IN A ${ip}" > /dev/null
- # Register reverse pointer - there is no local_data_ptr command unfortunately
- ptr=$(echo "${ip}" | awk -F . '{print $4"."$3"."$2"."$1".in-addr.arpa."}')
- unbound-control local_data "${ptr} 60 IN PTR ${NAME}.docker."
- logger -t "${logtag}" "Registered ${NAME}.docker at ${ip}"
-fi
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb
deleted file mode 100644
index 6cf5fe9..0000000
--- a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-/var/lib/docker/containers/*/*.log {
- rotate 7
- daily
- compress
- delaycompress
- copytruncate
-}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb
deleted file mode 100644
index f6bb382..0000000
--- a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb
+++ /dev/null
@@ -1,5 +0,0 @@
-server:
- local-zone: docker. static
- interface: 127.0.0.1
- interface: 172.17.42.1
- access-control: 172.16.0.0/12 allow