Redo slave manifests for clarity and correctness.

The differences between openstack_project::slave,
openstack_project::slave_template, and openstack_project::bare_slave
were not always clear. Keep openstack_project::slave as the default long
running slave manifest, but replace slave_template with a
single_use_slave.pp to make it clear where single use slave config
begins. Add the ability to toggle automatic upgrades and jenkins sudo
rights to this new manifest. Finally, add a more verbose comment to
bare_slave explaining what it is useful for (having a jenkins like slave
host that doesn't need a firewall or ntp or automatic upgrades).

Change-Id: I3989c9e6ad9469f441ca5d3627f7b3b704d8a8da

doc/source/nodepool.rst

@@ -15,7 +15,7 @@ At a Glance
   * nodepool.openstack.org
 :Puppet:
   * :file:`modules/nodepool/`
-  * :file:`modules/openstack_project/manifests/dev_slave_template.pp`
+  * :file:`modules/openstack_project/manifests/single_use_slave.pp`
 :Configuration:
   * :file:`modules/openstack_project/templates/nodepool/nodepool.yaml.erb`
   * :file:`modules/openstack_project/files/nodepool/scripts/`

manifests/site.pp

@@ -556,16 +556,6 @@ node 'pbx.openstack.org' {
   }
 }
 
-# A bare machine, but with a jenkins user
-node /^.*\.template\.openstack\.org$/ {
-  include openstack_project::slave_template
-}
-
-# A bare machine, but with a jenkins user
-node /^.*dev-.*\.template\.openstack\.org$/ {
-  include openstack_project::dev_slave_template
-}
-
 # A backup machine.  Don't run cron or puppet agent on it.
 node /^ci-backup-.*\.openstack\.org$/ {
   include openstack_project::backup_server
@@ -710,12 +700,6 @@ node /^fedora18-dev\d+\.slave\.openstack\.org$/ {
   }
 }
 
-node /^.*\.jclouds\.openstack\.org$/ {
-  class { 'openstack_project::bare_slave':
-    certname => 'jclouds.openstack.org',
-  }
-}
-
 node 'openstackid-dev.openstack.org' {
   class { 'openstack_project::openstackid_dev':
     sysadmins            => hiera('sysadmins'),

modules/openstack_project/files/nodepool/scripts/prepare_node.sh

@@ -17,8 +17,10 @@
 # limitations under the License.
 
 HOSTNAME=$1
+SUDO=$2
 
-sudo hostname $1
+
+sudo hostname $HOSTNAME
 wget https://git.openstack.org/cgit/openstack-infra/config/plain/install_puppet.sh
 sudo bash -xe install_puppet.sh
 sudo git clone https://review.openstack.org/p/openstack-infra/config.git \
@@ -26,10 +28,10 @@ sudo git clone https://review.openstack.org/p/openstack-infra/config.git \
 sudo /bin/bash /root/config/install_modules.sh
 if [ -z "$NODEPOOL_SSH_KEY" ] ; then
     sudo puppet apply --modulepath=/root/config/modules:/etc/puppet/modules \
-	-e "class {'openstack_project::slave_template': }"
+	-e "class {'openstack_project::single_use_slave': sudo => $SUDO, }"
 else
     sudo puppet apply --modulepath=/root/config/modules:/etc/puppet/modules \
-	-e "class {'openstack_project::slave_template': install_users => false, ssh_key => '$NODEPOOL_SSH_KEY', }"
+	-e "class {'openstack_project::single_use_slave': install_users => false, sudo => $SUDO, ssh_key => '$NODEPOOL_SSH_KEY', }"
 fi
 
 sudo mkdir -p /opt/git

modules/openstack_project/files/nodepool/scripts/prepare_node_bare.sh

@@ -18,5 +18,4 @@
 
 HOSTNAME=$1
 
-./prepare_node.sh $HOSTNAME
+./prepare_node.sh $HOSTNAME false
-sudo puppet apply --modulepath=/root/config/modules:/etc/puppet/modules -e "class {'openstack_project::bare_slave': }"

modules/openstack_project/files/nodepool/scripts/prepare_node_devstack.sh

@@ -18,5 +18,5 @@
 
 HOSTNAME=$1
 
-./prepare_node.sh $HOSTNAME
+./prepare_node.sh $HOSTNAME true
 sudo -u jenkins -i /opt/nodepool-scripts/prepare_devstack.sh $HOSTNAME

modules/openstack_project/files/nodepool/scripts/prepare_node_tripleo.sh

@@ -20,5 +20,5 @@ HOSTNAME=$1
 
 # Workaround bug 1270646 during node bootstrapping.
 sudo ip link set mtu 1458 dev eth0
-./prepare_node.sh $HOSTNAME
+./prepare_node.sh $HOSTNAME true
 sudo -u jenkins -i /opt/nodepool-scripts/prepare_tripleo.sh $HOSTNAME

modules/openstack_project/manifests/bare_slave.pp

@@ -1,5 +1,7 @@
-# bare-bones slaves spun up by jclouds. Specifically need to not set ssh
+# Super simple slave manifest that installs something very
-# login limits, because it screws up jclouds provisioning
+# similar to an OpenStack Jenkins slave but does not need to
+# have services managed like firewall, ntp, automatic upgrades,
+# and so on.
 class openstack_project::bare_slave(
   $certname = $::fqdn,
   $install_users = true

modules/openstack_project/manifests/dev_slave_template.pp

@@ -1,16 +0,0 @@
-# == Class: openstack_project::dev_slave_template
-#
-class openstack_project::dev_slave_template (
-  $install_users = true,
-  $ssh_key = $openstack_project::jenkins_dev_ssh_key
-) inherits openstack_project {
-  class { 'openstack_project::template':
-    iptables_public_tcp_ports => [],
-    install_users             => $install_users,
-  }
-  class { 'jenkins::slave':
-    ssh_key => $ssh_key,
-    sudo    => true,
-    bare    => true,
-  }
-}

modules/openstack_project/manifests/single_use_slave.pp

@@ -0,0 +1,30 @@
+# == Class: openstack_project::single_use_slave
+#
+# This class configures single use Jenkins slaves with a few
+# toggleable options. Most importantly sudo rights for the Jenkins
+# user are by default off but can be enabled. Also, automatic_upgrades
+# are off by default as the assumption is the backing image for
+# this single use slaves will be refreshed with new packages
+# periodically.
+class openstack_project::single_use_slave (
+  $certname = $::fqdn,
+  $install_users = true,
+  $sudo = false,
+  $automatic_upgrades = false,
+  $ssh_key = $openstack_project::jenkins_ssh_key
+) inherits openstack_project {
+  class { 'openstack_project::template':
+    certname           => $certname,
+    automatic_upgrades => $automatic_upgrades,
+    install_users      => $install_users,
+    # Port 8000 from the devstack neutron public net to allow
+    # nova servers to reach heat-api-cfn
+    iptables_rules4    =>
+      ['-p tcp --dport 8000 -s 172.24.4.0/24 -j ACCEPT'],
+  }
+  class { 'jenkins::slave':
+    ssh_key => $ssh_key,
+    sudo    => $sudo,
+    bare    => true,
+  }
+}

modules/openstack_project/manifests/slave_template.pp

@@ -1,20 +0,0 @@
-# == Class: openstack_project::slave_template
-#
-class openstack_project::slave_template (
-  $install_users = true,
-  $ssh_key = $openstack_project::jenkins_ssh_key
-) inherits openstack_project {
-  class { 'openstack_project::template':
-    # Port 8000 from the devstack neutron public net to allow
-    # nova servers to reach heat-api-cfn
-    iptables_rules4           =>
-      ['-p tcp --dport 8000 -s 172.24.4.0/24 -j ACCEPT'],
-    iptables_public_tcp_ports => [],
-    install_users             => $install_users,
-  }
-  class { 'jenkins::slave':
-    ssh_key => $ssh_key,
-    sudo    => true,
-    bare    => true,
-  }
-}

modules/openstack_project/manifests/template.pp

@@ -8,11 +8,14 @@ class openstack_project::template (
   $iptables_rules4           = [],
   $iptables_rules6           = [],
   $install_users = true,
+  $automatic_upgrades = true,
   $certname = $::fqdn
 ) {
   include ssh
   include snmpd
-  include openstack_project::automatic_upgrades
+  if $automatic_upgrades == true {
+    include openstack_project::automatic_upgrades
+  }
 
   class { 'iptables':
     public_tcp_ports => $iptables_public_tcp_ports,