Add keys and script for puppet over ssh
In anticipation of driving puppet over ssh, we need keys on the hosts and the scripts on the master. Don't turn them on yet, because we want to be able to do some by-hand testing of the mechanism. Change-Id: I2c353777e2f8fb5a2e733ce405ba40427ce901e5
This commit is contained in:
parent
04c3a045fc
commit
edaa31ebbd
@ -126,6 +126,15 @@ node 'community.openstack.org' {
|
|||||||
|
|
||||||
node 'ci-puppetmaster.openstack.org' {
|
node 'ci-puppetmaster.openstack.org' {
|
||||||
class { 'openstack_project::puppetmaster':
|
class { 'openstack_project::puppetmaster':
|
||||||
|
root_rsa_key => hiera('puppetmaster_root_rsa_key'),
|
||||||
|
override_list => [
|
||||||
|
'git01.openstack.org',
|
||||||
|
'git02.openstack.org',
|
||||||
|
'git03.openstack.org',
|
||||||
|
'git04.openstack.org',
|
||||||
|
'git05.openstack.org',
|
||||||
|
'review.openstack.org',
|
||||||
|
],
|
||||||
sysadmins => hiera('sysadmins'),
|
sysadmins => hiera('sysadmins'),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -63,6 +63,25 @@ class openstack_project::base(
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ! defined(File['/root/.ssh']) {
|
||||||
|
file { '/root/.ssh':
|
||||||
|
ensure => directory,
|
||||||
|
mode => '0700',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ssh_authorized_key { '/root/.ssh/authorized_keys':
|
||||||
|
ensure => present,
|
||||||
|
user => 'root',
|
||||||
|
type => 'ssh-rsa',
|
||||||
|
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp',
|
||||||
|
options => [
|
||||||
|
"command=\"${::openstack_project::params::allowed_ssh_command}\"",
|
||||||
|
'from="ci-puppetmaster.openstack.org"',
|
||||||
|
],
|
||||||
|
require => File['/root/.ssh'],
|
||||||
|
}
|
||||||
|
|
||||||
# Use upstream puppet and pin to version 2.7.*
|
# Use upstream puppet and pin to version 2.7.*
|
||||||
if ($::osfamily == 'Debian') {
|
if ($::osfamily == 'Debian') {
|
||||||
apt::source { 'puppetlabs':
|
apt::source { 'puppetlabs':
|
||||||
|
@ -18,4 +18,5 @@ class openstack_project::params {
|
|||||||
fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).")
|
fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
$allowed_ssh_command = 'timeout -s 9 30 puppet agent --test'
|
||||||
}
|
}
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
# == Class: openstack_project::puppetmaster
|
# == Class: openstack_project::puppetmaster
|
||||||
#
|
#
|
||||||
class openstack_project::puppetmaster (
|
class openstack_project::puppetmaster (
|
||||||
|
$root_rsa_key,
|
||||||
|
$override_list = [],
|
||||||
$sysadmins = []
|
$sysadmins = []
|
||||||
) {
|
) {
|
||||||
|
include openstack_project::params
|
||||||
|
|
||||||
class { 'openstack_project::server':
|
class { 'openstack_project::server':
|
||||||
iptables_public_tcp_ports => [4505, 4506, 8140],
|
iptables_public_tcp_ports => [4505, 4506, 8140],
|
||||||
sysadmins => $sysadmins,
|
sysadmins => $sysadmins,
|
||||||
@ -45,6 +49,25 @@ class openstack_project::puppetmaster (
|
|||||||
mode => '0750',
|
mode => '0750',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
file { '/usr/local/bin/run_remote_puppet':
|
||||||
|
ensure => present,
|
||||||
|
mode => '0700',
|
||||||
|
content => template('openstack_project/run_remote_puppet.sh.erb'),
|
||||||
|
}
|
||||||
|
|
||||||
|
if ! defined(File['/root/.ssh']) {
|
||||||
|
file { '/root/.ssh':
|
||||||
|
ensure => directory,
|
||||||
|
mode => '0700',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
file { '/root/.ssh/id_rsa':
|
||||||
|
ensure => present,
|
||||||
|
mode => '0400',
|
||||||
|
content => $root_rsa_key,
|
||||||
|
}
|
||||||
|
|
||||||
# Cloud credentials are stored in this directory for launch-node.py.
|
# Cloud credentials are stored in this directory for launch-node.py.
|
||||||
file { '/root/ci-launch':
|
file { '/root/ci-launch':
|
||||||
ensure => directory,
|
ensure => directory,
|
||||||
|
51
modules/openstack_project/templates/run_remote_puppet.sh.erb
Executable file
51
modules/openstack_project/templates/run_remote_puppet.sh.erb
Executable file
@ -0,0 +1,51 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2014 Hewlett-Packard Development Company, L.P.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
# This function will properly fail if puppet is disabled on the target host
|
||||||
|
function run_ssh {
|
||||||
|
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$1 <%= scope.lookupvar('openstack_project::params::allowed_ssh_command') %>
|
||||||
|
ret=$?
|
||||||
|
# Did we timeout
|
||||||
|
if [ $ret eq 124 ]; the
|
||||||
|
echo "TODO: Timeout instead of other failure. Report this differently."
|
||||||
|
fi
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
FULL_LIST=$(puppet cert list -a | grep '^\+' | awk '{print $2}' | sed 's/"//g')
|
||||||
|
OVERRIDE_LIST="
|
||||||
|
<% @override_list.each do |host| -%>
|
||||||
|
<%= host %>
|
||||||
|
<% end -%>
|
||||||
|
"
|
||||||
|
FILTERED_LIST=""
|
||||||
|
for host in $FULL_LIST; do
|
||||||
|
if ! echo $OVERRIDE_LIST | grep $host >/dev/null 2>&1 ; then
|
||||||
|
FILTERED_LIST="$FILTERED_LIST $host"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
cd /opt/config/production
|
||||||
|
|
||||||
|
# Run things that need to be ordered
|
||||||
|
for host in $OVERRIDE_LIST; do
|
||||||
|
if ! run_ssh $host ; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Now, run everyone else
|
||||||
|
echo $FILTERED_LIST | xargs -P 10 -n 1 run_ssh
|
@ -23,7 +23,7 @@ LogLevel INFO
|
|||||||
|
|
||||||
# Authentication:
|
# Authentication:
|
||||||
LoginGraceTime 120
|
LoginGraceTime 120
|
||||||
PermitRootLogin no
|
PermitRootLogin forced-commands-only
|
||||||
StrictModes yes
|
StrictModes yes
|
||||||
|
|
||||||
RSAAuthentication yes
|
RSAAuthentication yes
|
||||||
|
27
run_all.sh
Executable file
27
run_all.sh
Executable file
@ -0,0 +1,27 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2014 Hewlett-Packard Development Company, L.P.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
cd /opt/config/production
|
||||||
|
git fetch -a && git reset -q --hard @{u}
|
||||||
|
./install_modules.sh
|
||||||
|
|
||||||
|
# One must touch manifests/site.pp to trick puppet into re-loading modules
|
||||||
|
# some times
|
||||||
|
touch manifests/site.pp
|
||||||
|
|
||||||
|
# Run this as an external script so that the above pull will get new changes
|
||||||
|
/usr/local/bin/run_remote_puppet
|
Loading…
Reference in New Issue
Block a user