Puppet Class: profile::wmcs::instance
- Defined in:
- modules/profile/manifests/wmcs/instance.pp
Overview
basic profile for every CloudVPS instance
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 |
# File 'modules/profile/manifests/wmcs/instance.pp', line 2
class profile::wmcs::instance(
Boolean $mount_nfs = lookup('mount_nfs', {default_value => false}),
Array[Stdlib::Fqdn] $metricsinfra_prometheus_nodes = lookup('metricsinfra_prometheus_nodes', {default_value => []}),
) {
# a VM without isc-dhcp-client can be considered broken
ensure_packages(['isc-dhcp-client'])
# cloud-init is installed on base cloud images, but
# ensuring it here may prevent it from being accidentally
# removed, e.g. as part of a weird dependency behavior
# in T361749
ensure_packages(['cloud-init'])
if ! defined(Class['Sudo']) {
class { 'sudo': }
}
sudo::group { 'ops':
privileges => ['ALL=(ALL) NOPASSWD: ALL'],
}
file { '/etc/sudoers.d/T205463-disable-sudo-password-prompts':
ensure => 'present',
owner => 'root',
group => 'root',
mode => '0440',
content => "Defaults passwd_tries=0,lecture=\"never\"\n",
validate_cmd => '/usr/sbin/visudo -cqf %',
require => Class['sudo'],
}
class { 'profile::ldap::client::labs': }
# TODO: remove after a full puppet cycle
file { [ '/var/log/syslog', '/var/log/messages', ]:
mode => '0640',
}
file { '/etc/wmcs-instancename':
owner => 'root',
group => 'root',
mode => '0444',
content => "${::hostname}\n",
}
file { '/etc/wmcs-project':
owner => 'root',
group => 'root',
mode => '0444',
content => "${::wmcs_project}\n",
}
if debian::codename::le('bullseye') {
file { '/etc/wmflabs-project':
ensure => link,
target => '/etc/wmcs-project',
}
file { '/etc/wmflabs-instancename':
ensure => link,
target => '/etc/wmcs-instancename',
}
# wmflabs_imageversion is provided by labs_vmbuilder/files/postinst.copy
# because this is a pre-installed file, migrating is nontrivial, so we keep
# the original file name.
file { '/etc/wmcs-imageversion':
ensure => link,
target => '/etc/wmflabs_imageversion',
}
}
file { '/etc/mailname':
ensure => present,
content => "${::fqdn}\n",
owner => 'root',
group => 'root',
mode => '0444',
}
package { 'puppet-lint':
ensure => present,
}
# We are using nfsv4, which doesn't require rpcbind on clients. T241710
# However, removing the package removes nfs-common.
if $facts['nfscommon_version'] {
service { 'rpcbind':
ensure => 'stopped',
}
exec { 'systemctl mask rpcbind.service':
path => ['/bin', '/usr/bin'],
creates => '/etc/systemd/system/rpcbind.service',
}
}
# Allows per-host placement of NFS mounts, defaults to false
if $mount_nfs {
require profile::wmcs::nfsclient
}
# In production, we try to be punctilious about having Puppet manage
# system state, and thus it's reasonable to purge Apache site configs
# that have not been declared via Puppet. But on Labs we want to allow
# users to manage configuration files locally if they so choose,
# without having Puppet clobber them. So provision a
# /etc/apache2/sites-local directory for Apache to recurse into during
# initialization, but do not manage its contents.
exec { 'enable_sites_local':
command => '/bin/mkdir -m0755 /etc/apache2/sites-local && \
/usr/bin/touch /etc/apache2/sites-local/dummy.conf && \
/bin/echo "Include sites-local/*" >> /etc/apache2/apache2.conf',
onlyif => '/usr/bin/test -e /etc/apache2/apache2.conf -a ! -d /etc/apache2/sites-local',
}
class { 'prometheus::node_ssh_open_sessions': }
# TODO: move this so it doesn't need a lint:ignore for a lookup in the middle of a class
lookup('classes', {default_value => []}).include() # lint:ignore:wmf_styleguide
# Signal to rc.local that this VM is up and we don't need to run the firstboot
# script anymore
file { '/root/firstboot_done':
ensure => present,
content => '',
}
# Update /etc/hosts using the new cloud-init template.
# Note that cloud-init will only update the file if
# manage_etc_hosts = True in the initial cloud setup
# of the VM. That means that legacy VMs (from before
# widespread adoption of cloud-init) will not
# be affected by this.
#
# We might also be on a system that doesn't have cloud-init
# at all, which is just fine.
exec { 'cloud-init refresh /etc/hosts':
command => '/usr/bin/cloud-init single -n cc_update_etc_hosts',
onlyif => '/usr/bin/test -f /usr/bin/cloud-init',
refreshonly => true,
}
file { ['/etc/cloud', '/etc/cloud/templates']:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/cloud/templates/hosts.debian.tmpl':
ensure => present,
content => template('profile/wmcs/instance/hosts.debian.tmpl.erb'),
owner => 'root',
group => 'root',
require => File['/etc/cloud', '/etc/cloud/templates'],
notify => Exec['cloud-init refresh /etc/hosts'],
mode => '0644',
}
# sudo rules added by cloud-init for the 'debian' user, not needed in our setup
file { [ '/etc/sudoers.d/90-cloud-init-users', '/etc/sudoers.d/debian-cloud-init' ]:
ensure => absent,
}
# this seems to be installed by default but doesn't do much on a VM.
# T287309
package { 'smartmontools':
ensure => absent,
notify => Exec['reset-failed for smartmontools'],
}
exec { 'reset-failed for smartmontools':
path => ['/bin', '/usr/bin'],
command => 'systemctl reset-failed smartd.service',
refreshonly => true,
}
class {'::cinderutils': }
if !empty($metricsinfra_prometheus_nodes) {
ferm::rule { 'metricsinfra-prometheus-all':
rule => "saddr @resolve((${metricsinfra_prometheus_nodes.join(' ')})) ACCEPT;"
}
}
}
|