Add keys and script for puppet over ssh

In anticipation of driving puppet over ssh, we need keys on the hosts
and the scripts on the master. Don't turn them on yet, because we want
to be able to do some by-hand testing of the mechanism.

Change-Id: I2c353777e2f8fb5a2e733ce405ba40427ce901e5
This commit is contained in:
Monty Taylor 2014-03-17 04:01:33 -04:00
parent 04c3a045fc
commit edaa31ebbd
7 changed files with 132 additions and 2 deletions

View File

@ -126,6 +126,15 @@ node 'community.openstack.org' {
node 'ci-puppetmaster.openstack.org' { node 'ci-puppetmaster.openstack.org' {
class { 'openstack_project::puppetmaster': class { 'openstack_project::puppetmaster':
root_rsa_key => hiera('puppetmaster_root_rsa_key'),
override_list => [
'git01.openstack.org',
'git02.openstack.org',
'git03.openstack.org',
'git04.openstack.org',
'git05.openstack.org',
'review.openstack.org',
],
sysadmins => hiera('sysadmins'), sysadmins => hiera('sysadmins'),
} }
} }

View File

@ -63,6 +63,25 @@ class openstack_project::base(
) )
} }
if ! defined(File['/root/.ssh']) {
file { '/root/.ssh':
ensure => directory,
mode => '0700',
}
}
ssh_authorized_key { '/root/.ssh/authorized_keys':
ensure => present,
user => 'root',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp',
options => [
"command=\"${::openstack_project::params::allowed_ssh_command}\"",
'from="ci-puppetmaster.openstack.org"',
],
require => File['/root/.ssh'],
}
# Use upstream puppet and pin to version 2.7.* # Use upstream puppet and pin to version 2.7.*
if ($::osfamily == 'Debian') { if ($::osfamily == 'Debian') {
apt::source { 'puppetlabs': apt::source { 'puppetlabs':

View File

@ -18,4 +18,5 @@ class openstack_project::params {
fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).") fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).")
} }
} }
$allowed_ssh_command = 'timeout -s 9 30 puppet agent --test'
} }

View File

@ -1,8 +1,12 @@
# == Class: openstack_project::puppetmaster # == Class: openstack_project::puppetmaster
# #
class openstack_project::puppetmaster ( class openstack_project::puppetmaster (
$root_rsa_key,
$override_list = [],
$sysadmins = [] $sysadmins = []
) { ) {
include openstack_project::params
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [4505, 4506, 8140], iptables_public_tcp_ports => [4505, 4506, 8140],
sysadmins => $sysadmins, sysadmins => $sysadmins,
@ -45,6 +49,25 @@ class openstack_project::puppetmaster (
mode => '0750', mode => '0750',
} }
file { '/usr/local/bin/run_remote_puppet':
ensure => present,
mode => '0700',
content => template('openstack_project/run_remote_puppet.sh.erb'),
}
if ! defined(File['/root/.ssh']) {
file { '/root/.ssh':
ensure => directory,
mode => '0700',
}
}
file { '/root/.ssh/id_rsa':
ensure => present,
mode => '0400',
content => $root_rsa_key,
}
# Cloud credentials are stored in this directory for launch-node.py. # Cloud credentials are stored in this directory for launch-node.py.
file { '/root/ci-launch': file { '/root/ci-launch':
ensure => directory, ensure => directory,

View File

@ -0,0 +1,51 @@
#!/bin/bash
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# This function will properly fail if puppet is disabled on the target host
function run_ssh {
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$1 <%= scope.lookupvar('openstack_project::params::allowed_ssh_command') %>
ret=$?
# Did we timeout
if [ $ret eq 124 ]; the
echo "TODO: Timeout instead of other failure. Report this differently."
fi
return $ret
}
FULL_LIST=$(puppet cert list -a | grep '^\+' | awk '{print $2}' | sed 's/"//g')
OVERRIDE_LIST="
<% @override_list.each do |host| -%>
<%= host %>
<% end -%>
"
FILTERED_LIST=""
for host in $FULL_LIST; do
if ! echo $OVERRIDE_LIST | grep $host >/dev/null 2>&1 ; then
FILTERED_LIST="$FILTERED_LIST $host"
fi
done
cd /opt/config/production
# Run things that need to be ordered
for host in $OVERRIDE_LIST; do
if ! run_ssh $host ; then
break
fi
done
# Now, run everyone else
echo $FILTERED_LIST | xargs -P 10 -n 1 run_ssh

View File

@ -23,7 +23,7 @@ LogLevel INFO
# Authentication: # Authentication:
LoginGraceTime 120 LoginGraceTime 120
PermitRootLogin no PermitRootLogin forced-commands-only
StrictModes yes StrictModes yes
RSAAuthentication yes RSAAuthentication yes

27
run_all.sh Executable file
View File

@ -0,0 +1,27 @@
#!/bin/bash
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
cd /opt/config/production
git fetch -a && git reset -q --hard @{u}
./install_modules.sh
# One must touch manifests/site.pp to trick puppet into re-loading modules
# some times
touch manifests/site.pp
# Run this as an external script so that the above pull will get new changes
/usr/local/bin/run_remote_puppet