Puppet Class: profile::puppet::agent

Defined in:

modules/profile/manifests/puppet/agent.pp

Summary

install and configure puppet agent

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

• puppetmaster (String) (defaults to: lookup('puppetmaster')) —

  the puppet server

• ca_server (Optional[String[1]]) (defaults to: lookup('puppet_ca_server')) —

  the ca server

• site_nearest_core (Hash[Wmflib::Sites, Wmflib::Sites]) (defaults to: lookup('site_nearest_core')) —

  list of mappings to a sites nearest core

• use_srv_records (Boolean) (defaults to: lookup('profile::puppet::agent::use_srv_records')) —

  if true use SRV records to resolve the puppet server and ca server

• srv_domain (Optional[Stdlib::Fqdn]) (defaults to: lookup('profile::puppet::agent::srv_domain')) —

  the domain to use when resolving SRV records. puppet will look for records al _x-puppet._tcp.$srv_domain and _x-puppet-ca._tcp.$srv_domain

• interval (Integer[1,59]) (defaults to: lookup('profile::puppet::agent::interval')) —

  the, in minutes, interval to perform puppet runs

• timer_seed (Optional[String[1]]) (defaults to: lookup('profile::puppet::agent::timer_seed')) —

  Add ability to seed the systemd timer. usefull if jobs happen to collide

• environment (Optional[String[1]]) (defaults to: lookup('profile::puppet::agent::environment')) —

  the agent environment

• serialization_format (Enum['pson', 'json', 'msgpack']) (defaults to: lookup('profile::puppet::agent::serialization_format')) —

  the serilasation format of catalogs

• dns_alt_names (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::puppet::agent::dns_alt_names')) —

  a list of dns alt names

• certificate_revocation (Optional[Enum['chain', 'leaf', 'false']]) (defaults to: lookup('profile::puppet::agent::certificate_revocation')) —

  The level of certificate revocation to perform

• create_timer (Boolean) (defaults to: lookup('profile::puppet::agent::create_timer', {'default_value' => true})) —

  whether to create the systemd agent timer

• facts_soft_limit (Optional[Integer]) (defaults to: lookup('profile::puppet::agent::facts_soft_limit', {'default_value' => 2048}))

# File 'modules/profile/manifests/puppet/agent.pp', line 16

class profile::puppet::agent (
    String                             $puppetmaster           = lookup('puppetmaster'),
    Optional[String[1]]                $ca_server              = lookup('puppet_ca_server'),
    Hash[Wmflib::Sites, Wmflib::Sites] $site_nearest_core      = lookup('site_nearest_core'),
    Boolean                            $use_srv_records        = lookup('profile::puppet::agent::use_srv_records'),
    Optional[Stdlib::Fqdn]             $srv_domain             = lookup('profile::puppet::agent::srv_domain'),
    Integer[1,59]                      $interval               = lookup('profile::puppet::agent::interval'),
    Optional[String[1]]                $timer_seed             = lookup('profile::puppet::agent::timer_seed'),
    Optional[String[1]]                $environment            = lookup('profile::puppet::agent::environment'),
    Enum['pson', 'json', 'msgpack']    $serialization_format   = lookup('profile::puppet::agent::serialization_format'),
    Array[Stdlib::Fqdn]                $dns_alt_names          = lookup('profile::puppet::agent::dns_alt_names'),
    Optional[Integer]                  $facts_soft_limit       = lookup('profile::puppet::agent::facts_soft_limit', {'default_value' => 2048}),
    Boolean                            $create_timer           = lookup('profile::puppet::agent::create_timer', {'default_value' => true}),
    Optional[Enum['chain', 'leaf', 'false']] $certificate_revocation = lookup('profile::puppet::agent::certificate_revocation'),
) {
    if debian::codename::eq('bullseye') {
    # Use the backported version
        apt::package_from_component { 'puppet':
            component => 'component/puppet7',
            priority  => 1002,
        }
        # facter 4 needs a more recent version of ruby-sys-filesystem to
        # parse sysfs structures for the "mountpoints" fact  T381538
        apt::package_from_component { 'ruby-sys-filesystem':
            component => 'component/puppet7',
            packages  => ['ruby-sys-filesystem']
        }
    } elsif debian::codename::eq('trixie') {
        # On trixie we initially use a forward port of the Puppet agent from Bookworm
        # Later one, once the Puppet repo is fully compatible with Puppet 8, we'll
        # switch to using the 8.10 client shipped in Trixie
        # - Puppet 7 needs ruby-concurrent 1.1.x, but Trixie includes 1.3.5. Since no
        #   package we use needs ruby-concurrent, we're installing a forward port of
        #   ruby-concurrent from bookworm and configure apt to use it
        # - To unbreak some dependency cycles, ruby-defaults (which is the package which
        #   declares what version of rubyX.Y is pulled in by ruby etc. meta packages)
        #   declares a Breaks: on the puppet7-agent. This blocks deploying the Puppet
        #   Puppet 7 agent and we don't need it for our upgrades, so ruby-defaults
        #   was rebuilt without the Breaks:
        apt::package_from_component { 'puppet7-forward-port':
            component => 'component/puppet7',
            priority  => 1002,
            packages  => ['ruby-concurrent', 'ruby', 'libruby', 'puppet', 'puppet-agent']
        }
    } else { # bookworm
        # Add a priority on the debian repos as we have a forward port in wikimedia/main
        apt::pin { 'puppet':
            pin      => 'release l=Debian',
            priority => 1003,
        }
    }
    # Force leaf on puppet7 T330490
    $_certificate_revocation = $certificate_revocation.lest || { 'leaf' }
    $_use_srv_records = $use_srv_records
    $_srv_domain = $srv_domain.lest || {
        $::site ? {
            /codfw|eqiad/ => "${::site}.wmnet",
            default       => "${site_nearest_core[$::site]}.wmnet",
        }
    }
    class { 'puppet::agent':
        server                 => $puppetmaster,
        ca_server              => $ca_server,
        use_srv_records        => $_use_srv_records,
        srv_domain             => $_srv_domain,
        dns_alt_names          => $dns_alt_names,
        environment            => $environment,
        certificate_revocation => $_certificate_revocation,
        facts_soft_limit       => $facts_soft_limit,
    }

    class { 'puppet_statsd':
    }

    class { 'prometheus::node_puppet_agent': }
    include profile::puppet::client_bucket

    ensure_packages([
        # needed for the ssh_ca_host_certificate custom fact
        'ruby-net-ssh',
        # needed by the locate-unmanaged script
        'python3-yaml',
    ])

    # Mode 0751 to make sure non-root users can access
    # /var/lib/puppet/state/agent_disabled.lock to check if puppet is enabled
    ensure_resource(
        'file',
        '/var/lib/puppet',
        {
            'ensure' => 'directory',
            'owner'  => 'puppet',
            'group'  => 'puppet',
            'mode'   => '0751',
        },
    )
    # WMF helper scripts
    file {
        default:
            ensure => file,
            mode   => '0555',
            owner  => 'root',
            group  => 'root';
        '/usr/local/share/bash/puppet-common.sh':
            source => 'puppet:///modules/profile/puppet/bin/puppet-common.sh';
        '/usr/local/sbin/puppet-run':
            source => 'puppet:///modules/profile/puppet/bin/puppet-run.sh';
        '/usr/local/bin/puppet-enabled':
            source => 'puppet:///modules/profile/puppet/bin/puppet-enabled';
        '/usr/local/sbin/disable-puppet':
            mode   => '0550',
            source => 'puppet:///modules/profile/puppet/bin/disable-puppet';
        '/usr/local/sbin/enable-puppet':
            mode   => '0550',
            source => 'puppet:///modules/profile/puppet/bin/enable-puppet';
        '/usr/local/sbin/run-puppet-agent':
            mode   => '0550',
            source => 'puppet:///modules/profile/puppet/bin/run-puppet-agent';
        '/usr/local/sbin/run-no-puppet':
            mode   => '0550',
            source => 'puppet:///modules/profile/puppet/bin/run-no-puppet';
        '/usr/local/sbin/locate-unmanaged':
            mode   => '0550',
            source => 'puppet:///modules/profile/puppet/bin/locate-unmanaged.py';
    }
    $min = $interval.fqdn_rand($timer_seed)
    $timer_interval = "*:${min}/${interval}:00"

    if $create_timer {
        systemd::timer::job { 'puppet-agent-timer':
            ensure        => present,
            description   => "Run Puppet agent every ${interval} minutes",
            user          => 'root',
            ignore_errors => true,
            command       => '/usr/local/sbin/puppet-run',
            interval      => [
                { 'start' => 'OnCalendar', 'interval' => $timer_interval },
                { 'start' => 'OnStartupSec', 'interval' => '1min' },
            ],
        }
    }

    logrotate::rule { 'puppet':
        ensure       => present,
        file_glob    => '/var/log/puppet /var/log/puppet.log',
        frequency    => 'daily',
        compress     => true,
        missing_ok   => true,
        not_if_empty => true,
        rotate       => 7,
        post_rotate  => ['/usr/lib/rsyslog/rsyslog-rotate'],
    }

    rsyslog::conf { 'puppet-agent':
        source   => 'puppet:///modules/profile/puppet/rsyslog.conf',
        priority => 10,
        require  => File['/etc/logrotate.d/puppet'],
    }
    motd::script { 'last-puppet-run':
        ensure   => present,
        priority => 97,
        source   => 'puppet:///modules/profile/puppet/97-last-puppet-run',
    }
}