From 8a67b007b3d36864ac70a9182b0e5273411de83e Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Sat, 9 May 2015 17:02:05 +0200 Subject: switch to sunet module --- global/overlay/etc/puppet/cosmos-modules.conf | 2 + .../puppet/modules/sunet/manifests/docker_run.pp | 42 ------------ .../puppet/modules/sunet/manifests/dockerhost.pp | 56 ---------------- .../modules/sunet/manifests/encrypted_swap.pp | 12 ---- .../modules/sunet/manifests/ethernet_bonding.pp | 19 ------ .../sunet/templates/dockerhost/20unbound.erb | 78 ---------------------- .../dockerhost/logrotate_docker-containers.erb | 7 -- .../templates/dockerhost/unbound_docker.conf.erb | 5 -- 8 files changed, 2 insertions(+), 219 deletions(-) delete mode 100644 global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp delete mode 100644 global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp delete mode 100644 global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp delete mode 100644 global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp delete mode 100755 global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb delete mode 100644 global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb delete mode 100644 global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index 20c6106..f27a90b 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -14,6 +14,8 @@ xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-* hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-* augeas git://github.com/SUNET/puppet-augeas.git yes sunet-* docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-* +sunet git://github.com/SUNET/puppet-sunet.git yes sunet-* + # # Alternate sources you might or might not want to use: #concat puppetlabs/concat no diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp deleted file mode 100644 index 8df416b..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp +++ /dev/null @@ -1,42 +0,0 @@ -# Common use of docker::run -define sunet::docker_run( - $image, - $imagetag = hiera('sunet_docker_default_tag', 'latest'), - $volumes = [], - $ports = [], - $env = [], - $net = 'bridge', - $extra_parameters = [], -) { - - # Make container use unbound resolver on dockerhost - # If docker was just installed, facter will not know the IP of docker0. Thus the pick. - $dns = $net ? { - 'host' => [], # docker refuses --dns with --net host - default => [pick($::ipaddress_docker0, '172.17.42.1')], - } - - $image_tag = "${image}:${imagetag}" - docker::image { $image_tag : } -> - - docker::run {$name : - use_name => true, - image => $image_tag, - volumes => flatten([$volumes, - '/etc/passwd:/etc/passwd:ro', # uid consistency - '/etc/group:/etc/group:ro', # gid consistency - ]), - ports => $ports, - env => $env, - net => $net, - extra_parameters => flatten([$extra_parameters, - '--rm', - ]), - dns => $dns, - verify_checksum => false, # Rely on registry security for now. eduID risk #31. - pre_start => 'run-parts /usr/local/etc/docker.d', - post_start => 'run-parts /usr/local/etc/docker.d', - pre_stop => 'run-parts /usr/local/etc/docker.d', - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp deleted file mode 100644 index 67f75f9..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp +++ /dev/null @@ -1,56 +0,0 @@ -# Install docker from https://get.docker.com/ubuntu -class sunet::dockerhost { - apt::source {'docker_official': - location => 'https://get.docker.com/ubuntu', - release => 'docker', - repos => 'main', - key => 'A88D21E9', - include_src => false - } - package {'lxc-docker': - ensure => latest, - } - - class {'docker': - manage_package => false, - } - - package { 'unbound': ensure => 'latest' } - service { 'unbound': ensure => 'running' } - - file { '/usr/local/etc/docker.d/20unbound': - ensure => file, - path => '/usr/local/etc/docker.d/20unbound', - mode => '0755', - content => template('sunet/dockerhost/20unbound.erb'), - } - - file { '/etc/logrotate.d/docker-containers': - ensure => file, - path => '/etc/logrotate.d/docker-containers', - mode => '0644', - content => template('sunet/dockerhost/logrotate_docker-containers.erb'), - } - - file { '/etc/unbound/unbound.conf.d/docker.conf': - ensure => file, - path => '/etc/unbound/unbound.conf.d/docker.conf', - mode => '0644', - content => template('sunet/dockerhost/unbound_docker.conf.erb'), - notify => Service['unbound'], - } - - ufw::allow { 'allow-docker-resolving_udp': - port => '53', - ip => $::ipaddress_docker0, # both IPv4 and IPv6 - from => '172.16.0.0/12', - proto => 'udp', - } - ufw::allow { 'allow-docker-resolving_tcp': - port => '53', - ip => $::ipaddress_docker0, # both IPv4 and IPv6 - from => '172.16.0.0/12', - proto => 'tcp', - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp deleted file mode 100644 index 9956e00..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp +++ /dev/null @@ -1,12 +0,0 @@ -define sunet::encrypted_swap() { - - package { 'ecryptfs-utils': - ensure => 'installed' - } -> - - exec {'sunet_ecryptfs_setup_swap': - command => '/usr/bin/ecryptfs-setup-swap -f', - onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap', - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp deleted file mode 100644 index 8ff7325..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp +++ /dev/null @@ -1,19 +0,0 @@ -define sunet::ethernet_bonding() { - # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1, - # for all physical hosts that are running Ubuntu. - # - # Bonding requires setup in /etc/network/interfaces as well. - # - if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' { - if $::operatingsystemrelease <= '12.04' { - package {'ifenslave': ensure => 'present' } - } else { - package {'ifenslave-2.6': ensure => 'present' } - } - - file_line { 'load_module_at_boot': - path => '/etc/modules', - line => 'bonding', - } - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb deleted file mode 100755 index 204e97c..0000000 --- a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/20unbound.erb +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash -# -# This script registers/removes docker containers IP addresses -# from the local unbound resolver in the post-start / pre-stop actions. -# -# For action pre-start, it checks if there is a CID file that needs to be -# cleaned away to not prevent the new container from starting. -# - -# sunet_docker_pre-post: CID d05a0842ce1700ee3328d42ccf5c2f29cc3d71fa6dcc6a72f994f8d032453be7 -# sunet_docker_pre-post: ACTION pre-stop -# sunet_docker_pre-post: IMAGE docker.sunet.se/eduid/eduid-mm-service -# sunet_docker_pre-post: NAME eduid-mm-service -#for e in "CID" "ACTION" "IMAGE" "NAME"; do -# logger -t sunet_docker_pre-post "$e `printenv $e`" -#done - -logtag="sunet_docker_pre-post[$ACTION]" -logger -t "${logtag}" "$NAME ($IMAGE), CID: '$CID'" - -if [ "x$ACTION" = "xpre-start" ]; then - if [ -f "${CIDFILE}" ]; then - # Clean away the CID file in pre-start if the container is in fact not running - docker inspect "${CID}" 2>/dev/null || ( - logger -t "${logtag}" "Removing left-over CID file '${CIDFILE}' (CID ${CID})"; - rm -f "${CIDFILE}" - ) - fi - - # Remove any stopped container with this name to prevent the docker start script - # from just restarting that one (instead of starting the currently tagged image, - # which might be newer than the one used by the old container) - docker inspect "${NAME}" && docker rm "${NAME}" - exit 0 -fi - -if [ "x${CID}" = "x" ]; then - CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null) - - if [ "x${CID}" = "x" ]; then - # sometimes containers start slow... - for retry in 1 2 3 4 5; do - sleep 1 - logger -t "${logtag}" "Retrying CID lookup for ${NAME}" - CID=$(docker inspect --format '{{ .Id }}' "${NAME}" 2>/dev/null) - if [ "x${CID}" != "x" ]; then - break - fi - done - fi - - if [ "x${CID}" = "x" ]; then - logger -t "${logtag}" "No CID provided or found! Aborting." - exit 0 - fi - - logger -t "${logtag}" "Found CID ${CID} using docker inspect on '${NAME}'" -fi - -# Remove registered name. -# XXX this does NOT handle multiple instances of the same image running on -# a single Docker host! -logger -t "${logtag}" "Un-registering ${NAME}.docker" -unbound-control local_data_remove "${NAME}.docker." > /dev/null - -# If it is a container starting up, register it's IP address -if [ "x$ACTION" = "xpost-start" ]; then - ip=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "${CID}" 2>/dev/null) - if [ "x${ip}" = "x" ]; then - logger -t "${logtag}" "Failed to get IP from CID ${CID}. Aborting." - exit 0 - fi - unbound-control local_data "${NAME}.docker. 60 IN A ${ip}" > /dev/null - # Register reverse pointer - there is no local_data_ptr command unfortunately - ptr=$(echo "${ip}" | awk -F . '{print $4"."$3"."$2"."$1".in-addr.arpa."}') - unbound-control local_data "${ptr} 60 IN PTR ${NAME}.docker." - logger -t "${logtag}" "Registered ${NAME}.docker at ${ip}" -fi diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb deleted file mode 100644 index 6cf5fe9..0000000 --- a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/logrotate_docker-containers.erb +++ /dev/null @@ -1,7 +0,0 @@ -/var/lib/docker/containers/*/*.log { - rotate 7 - daily - compress - delaycompress - copytruncate -} diff --git a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb b/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb deleted file mode 100644 index f6bb382..0000000 --- a/global/overlay/etc/puppet/modules/sunet/templates/dockerhost/unbound_docker.conf.erb +++ /dev/null @@ -1,5 +0,0 @@ -server: - local-zone: docker. static - interface: 127.0.0.1 - interface: 172.17.42.1 - access-control: 172.16.0.0/12 allow -- cgit v1.1