diff --git a/launch/README b/launch/README index deb7327837..7f1283cdba 100644 --- a/launch/README +++ b/launch/README @@ -3,12 +3,11 @@ Create Server Note that these instructions assume you're working from this directory on an updated local clone of the repository on the -puppetmaster, and that your account is a member of the admin, puppet -and salt groups for access to their respective keys:: +puppetmaster, and that your account is a member of the admin +and puppet groups for access to their respective keys:: sudo adduser $(whoami) admin sudo adduser $(whoami) puppet - sudo adduser $(whoami) salt (Remember to log out and back into your shell if you add yourself to a group.) @@ -32,10 +31,6 @@ To launch a node in the OpenStack Jenkins account (slave nodes):: sudo puppet cert generate $FQDN ./launch-node.py $FQDN --image "$IMAGE" --flavor "$FLAVOR" -There is also a --salt option which can be used to tell the script to -automatically configure and enroll the server as a minion on the salt -master. - If you are launching a replacement server, you may skip the generate step and specify the name of an existing puppet cert (as long as the private key is on this host). diff --git a/launch/launch-node.py b/launch/launch-node.py index 27351b626e..e38ac8c7f4 100755 --- a/launch/launch-node.py +++ b/launch/launch-node.py @@ -23,7 +23,6 @@ import os import time import traceback import argparse -import shutil import dns import utils @@ -38,9 +37,6 @@ IPV6 = os.environ.get('IPV6', '0') is 1 SCRIPT_DIR = os.path.dirname(sys.argv[0]) -SALT_MASTER_PKI = os.environ.get('SALT_MASTER_PKI', '/etc/salt/pki/master') -SALT_MINION_PKI = os.environ.get('SALT_MINION_PKI', '/etc/salt/pki/minion') - def get_client(): args = [NOVA_USERNAME, NOVA_PASSWORD, NOVA_PROJECT_ID, NOVA_URL] @@ -56,8 +52,8 @@ def get_client(): return client -def bootstrap_server(server, admin_pass, key, cert, environment, name, - salt_priv, salt_pub, puppetmaster): +def bootstrap_server( + server, admin_pass, key, cert, environment, name, puppetmaster): ip = utils.get_public_ip(server) if not ip: raise Exception("Unable to find public ip of server") @@ -107,16 +103,6 @@ def bootstrap_server(server, admin_pass, key, cert, environment, name, ssh_client.ssh("chmod 0750 /var/lib/puppet/ssl/private_keys") ssh_client.ssh("chmod 0755 /var/lib/puppet/ssl/public_keys") - if salt_pub and salt_priv: - # Assuming salt-master is running on the puppetmaster - shutil.copyfile(salt_pub, - os.path.join(SALT_MASTER_PKI, 'minions', name)) - ssh_client.ssh('mkdir -p {0}'.format(SALT_MINION_PKI)) - ssh_client.scp(salt_pub, - os.path.join(SALT_MINION_PKI, 'minion.pub')) - ssh_client.scp(salt_priv, - os.path.join(SALT_MINION_PKI, 'minion.pem')) - for ssldir in ['/var/lib/puppet/ssl/certs/', '/var/lib/puppet/ssl/private_keys/', '/var/lib/puppet/ssl/public_keys/']: @@ -138,7 +124,7 @@ def bootstrap_server(server, admin_pass, key, cert, environment, name, def build_server( - client, name, image, flavor, cert, environment, salt, puppetmaster): + client, name, image, flavor, cert, environment, puppetmaster): key = None server = None @@ -159,15 +145,11 @@ def build_server( traceback.print_exc() raise - salt_priv, salt_pub = (None, None) - if salt: - salt_priv, salt_pub = utils.add_salt_keypair( - SALT_MASTER_PKI, name, 2048) try: admin_pass = server.adminPass server = utils.wait_for_resource(server) bootstrap_server(server, admin_pass, key, cert, environment, name, - salt_priv, salt_pub, puppetmaster) + puppetmaster) print('UUID=%s\nIPV4=%s\nIPV6=%s\n' % (server.id, server.accessIPv4, server.accessIPv6)) @@ -197,8 +179,6 @@ def main(): parser.add_argument("--cert", dest="cert", help="name of signed puppet certificate file (e.g., " "hostname.example.com.pem)") - parser.add_argument("--salt", dest="salt", action="store_true", - help="Manage salt keys for this host.") parser.add_argument("--server", dest="server", help="Puppetmaster to use.", default="ci-puppetmaster.openstack.org") options = parser.parse_args() @@ -239,7 +219,7 @@ def main(): print "Found image", image build_server(client, options.name, image, flavor, cert, - options.environment, options.salt, options.server) + options.environment, options.server) dns.print_dns(client, options.name) if __name__ == '__main__': diff --git a/launch/utils.py b/launch/utils.py index 2811a17ebc..0ed05c3319 100644 --- a/launch/utils.py +++ b/launch/utils.py @@ -30,7 +30,6 @@ try: except: pass import paramiko -import salt.crypt from sshclient import SSHClient @@ -136,26 +135,6 @@ def add_keypair(client, name): return key, kp -def add_salt_keypair(keydir, keyname, keysize=2048): - ''' - Generate a key pair for use with Salt - ''' - salt_priv = '{0}.pem'.format(keyname) - salt_pub = '{0}.pub'.format(keyname) - priv_key = os.path.join(keydir, salt_priv) - pub_key = os.path.join(keydir, salt_pub) - if not os.path.exists(priv_key) or \ - not os.path.exists(pub_key): - try: - os.makedirs(keydir) - except OSError: - pass - priv_key = salt.crypt.gen_keys(keydir, keyname, keysize) - path, ext = os.path.splitext(priv_key) - pub_key = '{0}.pub'.format(path) - return priv_key, pub_key - - def wait_for_resource(wait_resource): last_progress = None last_status = None diff --git a/manifests/site.pp b/manifests/site.pp index 6a77340661..1f86a874c8 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -162,7 +162,6 @@ node 'ci-puppetmaster.openstack.org' { node 'puppetmaster.openstack.org' { class { 'openstack_project::puppetmaster': root_rsa_key => hiera('puppetmaster_root_rsa_key', 'XXX'), - salt => false, update_slave => false, sysadmins => hiera('sysadmins', ['admin']), version => '3.4.', @@ -641,14 +640,6 @@ node 'pypi.slave.openstack.org' { } } -# Node-OS: precise -node 'salt-trigger.slave.openstack.org' { - include openstack_project - class { 'openstack_project::salt_trigger_slave': - jenkins_ssh_public_key => $openstack_project::jenkins_ssh_key, - } -} - # Node-OS: precise node /^precise-dev\d+.*\.slave\.openstack\.org$/ { include openstack_project diff --git a/modules/openstack_project/files/salt-trigger.sudoers b/modules/openstack_project/files/salt-trigger.sudoers deleted file mode 100644 index 4fc848aaba..0000000000 --- a/modules/openstack_project/files/salt-trigger.sudoers +++ /dev/null @@ -1,2 +0,0 @@ -# Allow jenkins user to send Salt messages to the Salt Master -jenkins ALL=(ALL) NOPASSWD: /usr/bin/salt-call event.fire_master* diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp index 3a891397dd..86f024eace 100644 --- a/modules/openstack_project/manifests/puppetmaster.pp +++ b/modules/openstack_project/manifests/puppetmaster.pp @@ -2,7 +2,6 @@ # class openstack_project::puppetmaster ( $root_rsa_key, - $salt = true, $update_slave = true, $sysadmins = [], $version = '2.7.', @@ -19,13 +18,6 @@ class openstack_project::puppetmaster ( ca_server => $ca_server, } - if ($salt) { - class { 'salt': - salt_master => 'ci-puppetmaster.openstack.org', - } - class { 'salt::master': } - } - if ($update_slave) { $cron_command = 'bash /opt/config/production/run_all.sh' logrotate::file { 'updatepuppetmaster': @@ -45,6 +37,13 @@ class openstack_project::puppetmaster ( $cron_command = 'sleep $((RANDOM\%600)) && cd /opt/config/production && git fetch -q && git reset -q --hard @{u} && ./install_modules.sh && touch manifests/site.pp' } + class { 'salt': + ensure => absent, + } + class { 'salt::master': + ensure => absent, + } + cron { 'updatepuppetmaster': user => 'root', minute => '*/15', diff --git a/modules/openstack_project/manifests/salt_trigger_slave.pp b/modules/openstack_project/manifests/salt_trigger_slave.pp deleted file mode 100644 index 126dac48a5..0000000000 --- a/modules/openstack_project/manifests/salt_trigger_slave.pp +++ /dev/null @@ -1,22 +0,0 @@ -# Slave used for automatically triggering commands on the salt master. -# -# == Class: openstack_project::salt_trigger_slave -# -class openstack_project::salt_trigger_slave ( - $jenkins_ssh_public_key = '' -) { - - class { 'openstack_project::slave': - ssh_key => $jenkins_ssh_public_key, - } - - file { '/etc/sudoers.d/salt-trigger': - ensure => present, - owner => 'root', - group => 'root', - mode => '0440', - source => 'puppet:///modules/openstack_project/salt-trigger.sudoers', - replace => true, - } - -} diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp index 6365f9b6d8..be992241cc 100644 --- a/modules/openstack_project/manifests/slave.pp +++ b/modules/openstack_project/manifests/slave.pp @@ -10,12 +10,9 @@ class openstack_project::slave ( ) { include openstack_project + include openstack_project::automatic_upgrades include openstack_project::tmpcleanup - class { 'openstack_project::automatic_upgrades': - origins => ['LP-PPA-saltstack-salt precise'], - } - class { 'openstack_project::server': iptables_public_tcp_ports => [], certname => $certname, @@ -28,7 +25,7 @@ class openstack_project::slave ( } class { 'salt': - salt_master => 'ci-puppetmaster.openstack.org', + ensure => absent, } include jenkins::cgroups diff --git a/modules/salt/manifests/init.pp b/modules/salt/manifests/init.pp index 8bd180e313..2506048d02 100644 --- a/modules/salt/manifests/init.pp +++ b/modules/salt/manifests/init.pp @@ -1,34 +1,46 @@ # Class salt # class salt ( + $ensure = present, $salt_master = $::fqdn ) { + if ($ensure == present) { + $running_ensure = running + } else { + $running_ensure = stopped + } + if ($::osfamily == 'Debian') { include apt # Wrap in ! defined checks to allow minion and master installs on the # same host. - if ! defined(Apt::Ppa['ppa:saltstack/salt']) { - apt::ppa { 'ppa:saltstack/salt': } + if ($ensure == present) { + if ! defined(Apt::Ppa['ppa:saltstack/salt']) { + apt::ppa { 'ppa:saltstack/salt': } + } + Apt::Ppa['ppa:saltstack/salt'] -> Package['salt-minion'] + } else { + file { '/etc/apt/sources.list.d/saltstack-salt-precise.list': + ensure => absent + } } if ! defined(Package['python-software-properties']) { package { 'python-software-properties': - ensure => present, + ensure => $ensure, } } - Apt::Ppa['ppa:saltstack/salt'] -> Package['salt-minion'] - } package { 'salt-minion': - ensure => present + ensure => $ensure } file { '/etc/salt/minion': - ensure => present, + ensure => $ensure, owner => 'root', group => 'root', mode => '0644', @@ -38,7 +50,7 @@ class salt ( } service { 'salt-minion': - ensure => running, + ensure => $running_ensure, enable => true, require => File['/etc/salt/minion'], subscribe => [ diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp index c6c55bd1be..a59d1a829f 100644 --- a/modules/salt/manifests/master.pp +++ b/modules/salt/manifests/master.pp @@ -1,37 +1,47 @@ # Class salt::master # -class salt::master { +class salt::master ( + $ensure = present, +) { + + if ($ensure == present) { + $directory_ensure = directory + $running_ensure = running + } else { + $directory_ensure = absent + $running_ensure = stopped + } if ($::osfamily == 'Debian') { include apt # Wrap in ! defined checks to allow minion and master installs on the # same host. - if ! defined(Apt::Ppa['ppa:saltstack/salt']) { - apt::ppa { 'ppa:saltstack/salt': } + if ($ensure == present) { + if ! defined(Apt::Ppa['ppa:saltstack/salt']) { + apt::ppa { 'ppa:saltstack/salt': } + } + Apt::Ppa['ppa:saltstack/salt'] -> Package['salt-master'] } if ! defined(Package['python-software-properties']) { package { 'python-software-properties': - ensure => present, + ensure => $ensure, } } - - Apt::Ppa['ppa:saltstack/salt'] -> Package['salt-master'] - } package { 'salt-master': - ensure => present + ensure => $ensure } group { 'salt': - ensure => present, + ensure => $ensure, system => true, } user { 'salt': - ensure => present, + ensure => $ensure, gid => 'salt', home => '/home/salt', shell => '/bin/bash', @@ -40,7 +50,7 @@ class salt::master { } file { '/home/salt': - ensure => directory, + ensure => $directory_ensure, owner => 'salt', group => 'salt', mode => '0755', @@ -48,7 +58,7 @@ class salt::master { } file { '/etc/salt/master': - ensure => present, + ensure => $ensure, owner => 'salt', group => 'salt', mode => '0644', @@ -58,7 +68,7 @@ class salt::master { } file { '/srv/reactor': - ensure => directory, + ensure => $directory_ensure, owner => 'salt', group => 'salt', mode => '0755', @@ -69,7 +79,7 @@ class salt::master { } file { '/srv/reactor/tests.sls': - ensure => present, + ensure => $ensure, owner => 'salt', group => 'salt', mode => '0644', @@ -82,7 +92,7 @@ class salt::master { } file { '/etc/salt/pki': - ensure => directory, + ensure => $directory_ensure, owner => 'salt', group => 'salt', mode => '0710', @@ -93,7 +103,7 @@ class salt::master { } file { '/etc/salt/pki/master': - ensure => directory, + ensure => $directory_ensure, owner => 'salt', group => 'salt', mode => '0770', @@ -101,7 +111,7 @@ class salt::master { } file { '/etc/salt/pki/master/minions': - ensure => directory, + ensure => $directory_ensure, owner => 'salt', group => 'salt', mode => '0775', @@ -109,7 +119,7 @@ class salt::master { } service { 'salt-master': - ensure => running, + ensure => $running_ensure, enable => true, require => [ User['salt'],