Puppet the Ubuntu sources.list files on servers

Because some of our virtual machine providers have perverse ideas
about maintaining their own mirrors of security update package
repositories, which is widely acknowledged[*] as an unsafe practice,
it's easiest to just fix this with a consistent sources.list file
across all our servers and not bother with package mirrors for now.

Note this should not affect our single-use workers as they do not
apply the openstack_project::server class.

[*] http://askubuntu.com/questions/646853

Change-Id: I26c1ba0e0b6366249b9634f85bb54ed412ecb789
This commit is contained in:
Jeremy Stanley 2016-01-14 18:56:24 +00:00
parent 5e63349100
commit 94acd79ea0
4 changed files with 41 additions and 1 deletions

View File

@ -0,0 +1,13 @@
# This file is kept updated by puppet, adapted from
# https://help.ubuntu.com/12.04/sample/sources.list
deb http://us.archive.ubuntu.com/ubuntu precise main restricted
deb http://us.archive.ubuntu.com/ubuntu precise-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu precise universe
deb http://us.archive.ubuntu.com/ubuntu precise-updates universe
deb http://us.archive.ubuntu.com/ubuntu precise multiverse
deb http://us.archive.ubuntu.com/ubuntu precise-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu precise-security main restricted
deb http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse

View File

@ -0,0 +1,13 @@
# This file is kept updated by puppet, adapted from
# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories
deb http://us.archive.ubuntu.com/ubuntu trusty main restricted
deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu trusty universe
deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe
deb http://us.archive.ubuntu.com/ubuntu trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse

View File

@ -41,5 +41,6 @@ class openstack_project::server (
sysadmins => $sysadmins, sysadmins => $sysadmins,
pypi_index_url => $pypi_index_url, pypi_index_url => $pypi_index_url,
pypi_trusted_hosts => $pypi_trusted_hosts, pypi_trusted_hosts => $pypi_trusted_hosts,
purge_apt_sources => true,
} }
} }

View File

@ -29,6 +29,7 @@ class openstack_project::template (
'pypi.region-b.geo-1.openstack.org', 'pypi.region-b.geo-1.openstack.org',
'pypi.regionone.openstack.org', 'pypi.regionone.openstack.org',
], ],
$purge_apt_sources = false,
) { ) {
########################################################### ###########################################################
@ -197,7 +198,19 @@ class openstack_project::template (
case $::osfamily { case $::osfamily {
'Debian': { 'Debian': {
include apt # Purge and augment existing /etc/apt/sources.list if requested
class { '::apt':
purge => { 'sources.list' => $purge_apt_sources }
}
if $purge_apt_sources == true {
file { '/etc/apt/sources.list.d/openstack-infra.list':
ensure => present,
group => 'root',
mode => '0444',
owner => 'root',
source => "puppet:///modules/openstack_project/sources.list.${::lsbdistcodename}",
}
}
# Make sure dig is installed # Make sure dig is installed
package { 'dnsutils': package { 'dnsutils':