From edaa31ebbda09fb03baf1d18b64f5fa996188745 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Mon, 17 Mar 2014 04:01:33 -0400 Subject: [PATCH] Add keys and script for puppet over ssh In anticipation of driving puppet over ssh, we need keys on the hosts and the scripts on the master. Don't turn them on yet, because we want to be able to do some by-hand testing of the mechanism. Change-Id: I2c353777e2f8fb5a2e733ce405ba40427ce901e5 --- manifests/site.pp | 11 +++- modules/openstack_project/manifests/base.pp | 19 +++++++ modules/openstack_project/manifests/params.pp | 1 + .../manifests/puppetmaster.pp | 23 +++++++++ .../templates/run_remote_puppet.sh.erb | 51 +++++++++++++++++++ modules/ssh/templates/sshd_config.erb | 2 +- run_all.sh | 27 ++++++++++ 7 files changed, 132 insertions(+), 2 deletions(-) create mode 100755 modules/openstack_project/templates/run_remote_puppet.sh.erb create mode 100755 run_all.sh diff --git a/manifests/site.pp b/manifests/site.pp index 6fc551fc8b..0bd6a3ab3a 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -126,7 +126,16 @@ node 'community.openstack.org' { node 'ci-puppetmaster.openstack.org' { class { 'openstack_project::puppetmaster': - sysadmins => hiera('sysadmins'), + root_rsa_key => hiera('puppetmaster_root_rsa_key'), + override_list => [ + 'git01.openstack.org', + 'git02.openstack.org', + 'git03.openstack.org', + 'git04.openstack.org', + 'git05.openstack.org', + 'review.openstack.org', + ], + sysadmins => hiera('sysadmins'), } } diff --git a/modules/openstack_project/manifests/base.pp b/modules/openstack_project/manifests/base.pp index 9185eccf0b..e504abd85a 100644 --- a/modules/openstack_project/manifests/base.pp +++ b/modules/openstack_project/manifests/base.pp @@ -63,6 +63,25 @@ class openstack_project::base( ) } + if ! defined(File['/root/.ssh']) { + file { '/root/.ssh': + ensure => directory, + mode => '0700', + } + } + + ssh_authorized_key { '/root/.ssh/authorized_keys': + ensure => present, + user => 'root', + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp', + options => [ + "command=\"${::openstack_project::params::allowed_ssh_command}\"", + 'from="ci-puppetmaster.openstack.org"', + ], + require => File['/root/.ssh'], + } + # Use upstream puppet and pin to version 2.7.* if ($::osfamily == 'Debian') { apt::source { 'puppetlabs': diff --git a/modules/openstack_project/manifests/params.pp b/modules/openstack_project/manifests/params.pp index 0a098f6894..9350c6802a 100644 --- a/modules/openstack_project/manifests/params.pp +++ b/modules/openstack_project/manifests/params.pp @@ -18,4 +18,5 @@ class openstack_project::params { fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).") } } + $allowed_ssh_command = 'timeout -s 9 30 puppet agent --test' } diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp index 6241202e6b..12c803e75c 100644 --- a/modules/openstack_project/manifests/puppetmaster.pp +++ b/modules/openstack_project/manifests/puppetmaster.pp @@ -1,8 +1,12 @@ # == Class: openstack_project::puppetmaster # class openstack_project::puppetmaster ( + $root_rsa_key, + $override_list = [], $sysadmins = [] ) { + include openstack_project::params + class { 'openstack_project::server': iptables_public_tcp_ports => [4505, 4506, 8140], sysadmins => $sysadmins, @@ -45,6 +49,25 @@ class openstack_project::puppetmaster ( mode => '0750', } + file { '/usr/local/bin/run_remote_puppet': + ensure => present, + mode => '0700', + content => template('openstack_project/run_remote_puppet.sh.erb'), + } + + if ! defined(File['/root/.ssh']) { + file { '/root/.ssh': + ensure => directory, + mode => '0700', + } + } + + file { '/root/.ssh/id_rsa': + ensure => present, + mode => '0400', + content => $root_rsa_key, + } + # Cloud credentials are stored in this directory for launch-node.py. file { '/root/ci-launch': ensure => directory, diff --git a/modules/openstack_project/templates/run_remote_puppet.sh.erb b/modules/openstack_project/templates/run_remote_puppet.sh.erb new file mode 100755 index 0000000000..f798df7f2c --- /dev/null +++ b/modules/openstack_project/templates/run_remote_puppet.sh.erb @@ -0,0 +1,51 @@ +#!/bin/bash + +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# This function will properly fail if puppet is disabled on the target host +function run_ssh { +ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$1 <%= scope.lookupvar('openstack_project::params::allowed_ssh_command') %> + ret=$? + # Did we timeout + if [ $ret eq 124 ]; the + echo "TODO: Timeout instead of other failure. Report this differently." + fi + return $ret +} + +FULL_LIST=$(puppet cert list -a | grep '^\+' | awk '{print $2}' | sed 's/"//g') +OVERRIDE_LIST=" +<% @override_list.each do |host| -%> +<%= host %> +<% end -%> +" +FILTERED_LIST="" +for host in $FULL_LIST; do + if ! echo $OVERRIDE_LIST | grep $host >/dev/null 2>&1 ; then + FILTERED_LIST="$FILTERED_LIST $host" + fi +done + +cd /opt/config/production + +# Run things that need to be ordered +for host in $OVERRIDE_LIST; do + if ! run_ssh $host ; then + break + fi +done + +# Now, run everyone else +echo $FILTERED_LIST | xargs -P 10 -n 1 run_ssh diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 37d23b6a43..104c4485bd 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -23,7 +23,7 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin no +PermitRootLogin forced-commands-only StrictModes yes RSAAuthentication yes diff --git a/run_all.sh b/run_all.sh new file mode 100755 index 0000000000..6f35c43359 --- /dev/null +++ b/run_all.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +cd /opt/config/production +git fetch -a && git reset -q --hard @{u} +./install_modules.sh + +# One must touch manifests/site.pp to trick puppet into re-loading modules +# some times +touch manifests/site.pp + +# Run this as an external script so that the above pull will get new changes +/usr/local/bin/run_remote_puppet