Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

initial checkin

  • Loading branch information...
commit 210593d81fa55e75c107648bde06ebd47fb2f401 0 parents
rpedde authored
Showing with 896 additions and 0 deletions.
  1. +94 −0 auth.conf
  2. +17 −0 fileserver.conf
  3. +48 −0 lib/puppet/parser/functions/configval.rb
  4. +27 −0 manifests/classes/preseed-package.pp
  5. +55 −0 manifests/site.pp
  6. +25 −0 modules/apt/manifests/config.pp
  7. +17 −0 modules/apt/manifests/init.pp
  8. +4 −0 modules/apt/templates/base-repos.erb
  9. +2 −0  modules/apt/templates/sources-list-launchpad.erb
  10. +3 −0  modules/glance/manifests/init.pp
  11. +8 −0 modules/glance/manifests/install.pp
  12. +8 −0 modules/glance/manifests/service.pp
  13. +130 −0 modules/mysql/files/my.cnf
  14. +21 −0 modules/mysql/manifests/config.pp
  15. 0  modules/mysql/manifests/init.pp
  16. +10 −0 modules/mysql/manifests/install.pp
  17. +3 −0  modules/mysql/manifests/server.pp
  18. +7 −0 modules/mysql/manifests/service.pp
  19. +9 −0 modules/mysql/templates/mysql-preseed.erb
  20. +11 −0 modules/nova-common/manifests/config.pp
  21. +3 −0  modules/nova-common/manifests/init.pp
  22. +8 −0 modules/nova-common/manifests/install.pp
  23. +42 −0 modules/nova-common/templates/nova.conf.erb
  24. +4 −0 modules/nova-compute/manifests/init.pp
  25. +7 −0 modules/nova-compute/manifests/install.pp
  26. +13 −0 modules/nova-compute/manifests/service.pp
  27. +7 −0 modules/nova-db/manifests/init.pp
  28. +34 −0 modules/nova-db/manifests/install.pp
  29. +3 −0  modules/nova-infra/manifests/init.pp
  30. +9 −0 modules/nova-infra/manifests/install.pp
  31. +9 −0 modules/nova-infra/manifests/service.pp
  32. +11 −0 modules/ntp/manifests/config.pp
  33. +4 −0 modules/ntp/manifests/init.pp
  34. +5 −0 modules/ntp/manifests/install.pp
  35. +7 −0 modules/ntp/manifests/service.pp
  36. +49 −0 modules/ntp/templates/ntp.conf.erb
  37. +6 −0 modules/rabbitmq/manifests/init.pp
  38. +5 −0 modules/rabbitmq/manifests/install.pp
  39. +7 −0 modules/rabbitmq/manifests/service.pp
  40. +86 −0 modules/ssh/files/sshd_config
  41. +28 −0 modules/ssh/manifests/config.pp
  42. +7 −0 modules/ssh/manifests/init.pp
  43. +7 −0 modules/ssh/manifests/install.pp
  44. +11 −0 modules/ssh/manifests/params.pp
  45. +8 −0 modules/ssh/manifests/service.pp
  46. +17 −0 puppet.conf
94 auth.conf
@@ -0,0 +1,94 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACL - those applies only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog (ie their configuration)
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their reports
+path /report
+method save
+allow *
+
+# inconditionnally allow access to all files services
+# which means in practice that fileserver.conf will
+# still be used
+path /file
+allow *
+
+### Unauthenticated ACL, for clients for which the current master doesn't
+### have a valid certificate
+
+# allow access to the master CA
+path /certificate/ca
+auth no
+method find
+allow *
+
+path /certificate/
+auth no
+method find
+allow *
+
+path /certificate_request
+auth no
+method find, save
+allow *
+
+# this one is not stricly necessary, but it has the merit
+# to show the default policy which is deny everything else
+path /
+auth any
17 fileserver.conf
@@ -0,0 +1,17 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Define a section 'files'
+# Adapt the allow/deny settings to your needs. Order
+# for allow/deny does not matter, allow always takes precedence
+# over deny
+[files]
+ path /etc/puppet/files
+# allow *.example.com
+# deny *.evil.example.com
+# allow 192.168.0.0/24
+
+[plugins]
+# allow *.example.com
+# deny *.evil.example.com
+# allow 192.168.0.0/24
48 lib/puppet/parser/functions/configval.rb
@@ -0,0 +1,48 @@
+# mangled off extlookup.rb
+#
+
+require 'yaml'
+module Puppet::Parser::Functions
+ newfunction(:configval, :type => :rvalue) do |args|
+ parser = Puppet::Parser::Parser.new(environment)
+
+ def var_to_fact str
+ while str =~ /%\{(.+?)\}/
+ fact = lookupvar $1
+ raise(Puppet::ParseError, "Unable to found value for #{str}") if fact.nil?
+ str.gsub!(/%\{#{$1}\}/, fact)
+ end
+ str
+ end
+
+ lookup_debug = true if lookupvar('lookup_debug?') == true
+
+ raise(Puppet::ParserError, "Wrong number of args to configval") unless (args.length == 2 || args.length == 3)
+
+ key = args[0]
+ lookup_file = args[1]
+ default_value = args.length == 3 ? args[2] : nil
+
+ file = lookup_file.start_with?("/") ? lookup_file : "/etc/puppet/#{lookup_file}.yaml"
+
+ raise(Puppet::ParseError, "Can't find input yaml file: #{file}") unless File.exist?(file)
+
+ parser.watch_file file
+ begin
+ result = YAML.load_file(file)[key]
+ if result and result.size > 0
+ result.to_a.map! { |r| var_to_fact r } # replace values to facts if required.
+ end
+ rescue
+ raise Puppet::ParseError, "Something went wrong while parsing #{file} - #{$!}"
+ end
+
+ if result.size > 0
+ return result
+# return result.size == 1 ? result.to_s : result
+ else
+ raise(Puppet::ParseError, "Could not find #{key}") if default_value == nil
+ return default_value
+ end
+ end
+end
27 manifests/classes/preseed-package.pp
@@ -0,0 +1,27 @@
+# roughly stolen from puppet wiki:
+# http://projects.puppetlabs.com/projects/1/wiki/Debian_Preseed_Patterns
+#
+# We'll require a source, though, and expect that source to be
+# templated
+#
+define preseed_package ( $ensure, $source ) {
+ file { "/var/local/preseed":
+ ensure => directory,
+ owner => "root",
+ group => "root",
+ mode => 0700
+ }
+
+ file { "/var/local/preseed/$name.preseed":
+ content => template($source),
+ mode => 0600,
+ backup => false,
+ require => File["/var/local/preseed"]
+ }
+
+ package { "$name":
+ ensure => $ensure,
+ responsefile => "/var/local/preseed/$name.preseed",
+ require => File["/var/local/preseed/$name.preseed"],
+ }
+}
55 manifests/site.pp
@@ -0,0 +1,55 @@
+# Site config
+import "classes/*"
+
+# Array of NTP servers to use
+# FIXME: (rp) move this crap to cluster config yaml file
+$ntpservers = [ "0.debian.pool.ntp.org", "1.debian.pool.ntp.org", "2.debian.pool.ntp.org" ]
+
+# In full apt format, e.g. "deb http://foo.com/ubuntu maverick main contrib"
+$additional_apt_repos = []
+
+$cluster_name="test"
+
+class base-node {
+ include ssh
+ include ntp
+ include apt # additional repos only
+}
+
+class nova-base-node {
+ include base-node
+
+ class { 'apt::launchpad_repo':
+ repo_name => "nova-trunk",
+ apt_url => "http://ppa.launchpad.net/nova-core/trunk/ubuntu",
+ apt_keyserver => "keyserver.ubuntu.com",
+ apt_signing_key => "7A4AF09AB1802509C26153211EBA3D372A2356C9"
+ }
+
+ include nova-common
+}
+
+class nova-compute-node {
+ include nova-base-node
+}
+
+class nova-infra-node {
+ # These should be split into:
+ # * rabbit
+ # * mysql
+ # * api
+ # * scheduler
+ include nova-base-node
+ include mysql::server
+ include nova-db
+ include rabbitmq
+ include nova-infra
+ include glance
+ include nova-compute-node
+}
+
+# TODO: (rp)
+# external node classifier based on cluster yaml file
+node "puppet-client" {
+ include nova-infra-node
+}
25 modules/apt/manifests/config.pp
@@ -0,0 +1,25 @@
+class apt::config {
+ file { "/etc/apt/sources.list.d":
+ ensure => directory,
+ owner => "root",
+ group => "root",
+ mode => 0755,
+ }
+
+ file { "sources_list":
+ path => $apt_sources_list,
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => 0640,
+ content => template($apt_templ_source),
+ notify => Exec["apt-update"],
+ require => File["/etc/apt/sources.list.d"]
+ }
+
+ exec { "apt-update":
+ command => "/usr/bin/apt-get update",
+ refreshonly => true
+ }
+}
+
17 modules/apt/manifests/init.pp
@@ -0,0 +1,17 @@
+class apt {
+ $apt_sources_list = "/etc/apt/sources.list.d/puppet.list"
+ $apt_templ_source = "apt/base-repos.erb"
+ include apt::config
+}
+
+class apt::launchpad_repo ($repo_name, $apt_url, $apt_keyserver, $apt_signing_key) {
+ $apt_sources_list = "/etc/apt/sources.list.d/${repo_name}.list"
+ $apt_templ_source = "apt/sources-list-launchpad.erb"
+ include apt::config
+
+ exec { "import-key":
+ command => "/usr/bin/gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver ${apt_keyserver} --recv ${apt_signing_key}",
+ refreshonly => true,
+ subscribe => File["sources_list"]
+ }
+}
4 modules/apt/templates/base-repos.erb
@@ -0,0 +1,4 @@
+
+<% additional_apt_repos and additional_apt_repos.each do |repo| -%>
+<%= repo %>
+<% end -%>
2  modules/apt/templates/sources-list-launchpad.erb
@@ -0,0 +1,2 @@
+deb http://ppa.launchpad.net/nova-core/trunk/ubuntu <%= lsbdistcodename %> main
+deb-src http://ppa.launchpad.net/nova-core/trunk/ubuntu <%= lsbdistcodename %> main
3  modules/glance/manifests/init.pp
@@ -0,0 +1,3 @@
+class glance {
+ include glance::install, glance::service
+}
8 modules/glance/manifests/install.pp
@@ -0,0 +1,8 @@
+class glance::install {
+ $glance_packages = [ "glance", "python-glance" ]
+
+ package { $glance_packages:
+ ensure => present
+ }
+}
+
8 modules/glance/manifests/service.pp
@@ -0,0 +1,8 @@
+class glance::service {
+ $glance_services = [ "glance-api", "glance-registry" ]
+ service { $glance_services:
+ ensure => running,
+ enable => true,
+ require => Class["glance::install"]
+ }
+}
130 modules/mysql/files/my.cnf
@@ -0,0 +1,130 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port = 3306
+socket = /var/run/mysqld/mysqld.sock
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket = /var/run/mysqld/mysqld.sock
+nice = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+
+#
+# * IMPORTANT
+# If you make changes to these settings and your system uses apparmor, you may
+# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.
+#
+
+user = mysql
+socket = /var/run/mysqld/mysqld.sock
+port = 3306
+basedir = /usr
+datadir = /var/lib/mysql
+tmpdir = /tmp
+skip-external-locking
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address = 0.0.0.0
+#
+# * Fine Tuning
+#
+key_buffer = 16M
+max_allowed_packet = 16M
+thread_stack = 192K
+thread_cache_size = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam-recover = BACKUP
+#max_connections = 100
+#table_cache = 64
+#thread_concurrency = 10
+#
+# * Query Cache Configuration
+#
+query_cache_limit = 1M
+query_cache_size = 16M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file = /var/log/mysql/mysql.log
+#general_log = 1
+
+log_error = /var/log/mysql/error.log
+
+# Here you can see queries with especially long duration
+#log_slow_queries = /var/log/mysql/mysql-slow.log
+#long_query_time = 2
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+# other settings you may need to change.
+#server-id = 1
+#log_bin = /var/log/mysql/mysql-bin.log
+expire_logs_days = 10
+max_binlog_size = 100M
+#binlog_do_db = include_database_name
+#binlog_ignore_db = include_database_name
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+
+
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet = 16M
+
+[mysql]
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer = 16M
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+# The files must end with '.cnf', otherwise they'll be ignored.
+#
+!includedir /etc/mysql/conf.d/
21 modules/mysql/manifests/config.pp
@@ -0,0 +1,21 @@
+class mysql::config {
+ file { "/etc/mysql":
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => 0755
+ }
+
+ file { "/etc/mysql/my.cnf":
+ ensure => present,
+ require => [ File["/etc/mysql"], Class["mysql::install"] ],
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet:///modules/mysql/my.cnf",
+ notify => Service["mysql"]
+ }
+
+
+}
+
0  modules/mysql/manifests/init.pp
No changes.
10 modules/mysql/manifests/install.pp
@@ -0,0 +1,10 @@
+class mysql::install {
+ $password_hash = configval("passwords", $cluster_name)
+ $mysql_password = $password_hash["mysql_root_password"]
+
+ preseed_package { "mysql-server":
+ ensure => present,
+ source => "mysql/mysql-preseed.erb"
+ }
+}
+
3  modules/mysql/manifests/server.pp
@@ -0,0 +1,3 @@
+class mysql::server {
+ include mysql::install, mysql::config, mysql::service
+}
7 modules/mysql/manifests/service.pp
@@ -0,0 +1,7 @@
+class mysql::service {
+ service { "mysql":
+ ensure => running,
+ enable => true,
+ require => Class["mysql::config"]
+ }
+}
9 modules/mysql/templates/mysql-preseed.erb
@@ -0,0 +1,9 @@
+mysql-server-5.1 mysql-server/root_password_again password <%= mysql_password %>
+mysql-server-5.1 mysql-server/root_password password <%= mysql_password %>
+mysql-server-5.1 mysql-server/error_setting_password error
+mysql-server-5.1 mysql-server-5.1/nis_warning note
+mysql-server-5.1 mysql-server-5.1/really_downgrade boolean false
+mysql-server-5.1 mysql-server-5.1/start_on_boot boolean true
+mysql-server-5.1 mysql-server-5.1/postrm_remove_databases boolean false
+mysql-server-5.1 mysql-server/password_mismatch error
+mysql-server-5.1 mysql-server/no_upgrade_when_using_ndb error
11 modules/nova-common/manifests/config.pp
@@ -0,0 +1,11 @@
+class nova-common::config {
+ # set up the nova.conf
+ file { "/etc/nova/nova.conf":
+ ensure => present,
+ owner => "root",
+ group => "nogroup",
+ mode => 0660,
+ content => template("nova-common/nova.conf.erb"),
+ require => Class["nova-common::install"]
+ }
+}
3  modules/nova-common/manifests/init.pp
@@ -0,0 +1,3 @@
+class nova-common {
+ include nova-common::install, nova-common::config
+}
8 modules/nova-common/manifests/install.pp
@@ -0,0 +1,8 @@
+class nova-common::install {
+ $nova_common_packages = [ "nova-common", "nova-doc", "python-nova",
+ "euca2ools", "unzip" ]
+
+ package { $nova_common_packages:
+ ensure => present
+ }
+}
42 modules/nova-common/templates/nova.conf.erb
@@ -0,0 +1,42 @@
+<% Puppet::Parser::Functions.autoloader.loadall -%>
+<% opt = scope.function_configval("options", cluster_name) -%>
+<% ci = scope.function_configval("cluster", cluster_name) -%>
+<% pw = scope.function_configval("passwords", cluster_name) -%>
+# DO NOT EDIT
+#
+# This file is managed by puppet, generated for cluster '<%= cluster_name %>'
+#
+
+--dhcpbridge_flagfile=/etc/nova/nova.conf
+--dhcpbridge=/usr/bin/nova-dhcpbridge
+--logdir=/var/log/nova
+--state_path=/var/lib/nova
+--lock_path=/var/lock/nova
+--verbose
+--network_manager=nova.network.manager.<%= opt['network_manager'] %>
+#--my_ip=<%= ipaddress %>
+--sql_connection=mysql://nova:<%= pw['mysql_nova_password'] -%>@<%= ci['mysql_vip'] -%>/nova
+--libvirt_type=<%= opt['libvirt_type'] %>
+#--osapi_extensions_path=/FIX/WITH/PROPER/DIR/extensions
+#--vncproxy_url=http://INVALID_URL:6080
+#--vncproxy_wwwroot=/FIX/WITH/PROPER/DIR/noVNC
+<% if opt.has_key?('flat_interface') -%>
+--flat_interface=<%= opt['flat_interface'] %>
+<% end -%>
+<% if opt.has_key?('use_ipv6') && opt['use_ipv6'] -%>
+--use_ipv6
+<% end -%>
+<% if opt.has_key?('use_keystone') && opt['use_keystone'] -%>
+--api_paste_config=/etc/nova/api-paste.ini
+<% end -%>
+<% if opt.has_key?('use_glance') && opt['use_glance'] -%>
+--image_service=nova.image.glance.GlanceImageService
+<% end -%>
+
+# Absent config values, not supported by puppet yet:
+#--auth_driver=nova.auth.$AUTH (ldapdriver or dbdriver if using ldap)
+#--public_interface=$INTERFACE
+#--vlan_interface=$INTERFACE
+
+
+
4 modules/nova-compute/manifests/init.pp
@@ -0,0 +1,4 @@
+class nova-compute {
+ include nova-compute::install, nova-compute::service
+}
+
7 modules/nova-compute/manifests/install.pp
@@ -0,0 +1,7 @@
+class nova-compute::install {
+ $nova_compute_packages = [ "nova-compute", "nova-network" ]
+
+ package { $nova_compute_packages:
+ ensure => present
+ }
+}
13 modules/nova-compute/manifests/service.pp
@@ -0,0 +1,13 @@
+class nova-compute::service {
+ service { "nova-compute":
+ ensure => running,
+ enable => true,
+ subscribe => File["/etc/nova/nova.conf"]
+ }
+
+ service { "nova-network":
+ ensure => running,
+ enable => true,
+ subscribe => File["/etc/nova/nova.conf"]
+ }
+}
7 modules/nova-db/manifests/init.pp
@@ -0,0 +1,7 @@
+class nova-db {
+ # this should be split into nova-db::master, nova-db::slave with drbd
+ # NO! mysql should be.. this should be independant
+ include nova-common
+ include mysql::server
+ include nova-db::install
+}
34 modules/nova-db/manifests/install.pp
@@ -0,0 +1,34 @@
+class nova-db::install {
+ # we only have to install if there isn't a nova db
+ $pw = configval("passwords", $cluster_name)
+
+ $mysql_nova_password = $pw['mysql_nova_password']
+ $mysql_root_password = $pw['mysql_root_password']
+
+ err($mysql_root_password)
+ err($mysql_nova_password)
+
+ exec { "create_nova_db":
+ command => "mysql -uroot -p${mysql_root_password} -e 'create database nova'",
+ path => [ "/bin", "/usr/bin" ],
+ unless => "mysql -uroot -p${mysql_root_password} -sr -e 'show databases' | grep -q nova",
+ notify => Exec["create_nova_user"]
+ }
+
+ exec { "create_nova_user":
+ # FIXME:
+ # someone really need to get db access limited to just
+ # the controller nodes
+ command => "mysql -uroot -p${mysql_root_password} -e \"grant all on nova.* to 'nova'@'%' identified by '${mysql_nova_password}'\"",
+ path => [ "/bin", "/usr/bin" ],
+ notify => Exec["sync_nova_db"],
+ refreshonly => true
+ }
+
+ exec { "sync_nova_db":
+ command => "nova-manage db sync",
+ path => [ "/bin", "/usr/bin" ],
+ refreshonly => true
+ }
+}
+
3  modules/nova-infra/manifests/init.pp
@@ -0,0 +1,3 @@
+class nova-infra {
+ include nova-infra::install, nova-infra::service
+}
9 modules/nova-infra/manifests/install.pp
@@ -0,0 +1,9 @@
+class nova-infra::install {
+ # not all of these are probably requires on an infra box
+ $nova_infra_packages = [ "nova-api", "nova-objectstore", "nova-scheduler" ]
+
+ package { $nova_infra_packages:
+ ensure => present
+ }
+}
+
9 modules/nova-infra/manifests/service.pp
@@ -0,0 +1,9 @@
+class nova-infra::service {
+ $nova_infra_services = [ "nova-api", "nova-objectstore", "nova-scheduler" ]
+
+ service { $nova_infra_services:
+ ensure => running,
+ enable => true,
+ subscribe => File["/etc/nova/nova.conf"]
+ }
+}
11 modules/ntp/manifests/config.pp
@@ -0,0 +1,11 @@
+class ntp::config {
+ file { "/etc/ntp.conf":
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => "644",
+ content => template("ntp/ntp.conf.erb"),
+ require => Class["ntp::install"],
+ notify => Class["ntp::service"],
+ }
+}
4 modules/ntp/manifests/init.pp
@@ -0,0 +1,4 @@
+class ntp {
+ include ntp::install, ntp::config, ntp::service
+}
+
5 modules/ntp/manifests/install.pp
@@ -0,0 +1,5 @@
+class ntp::install {
+ package { "ntp":
+ ensure => present
+ }
+}
7 modules/ntp/manifests/service.pp
@@ -0,0 +1,7 @@
+class ntp::service {
+ service { "ntp":
+ ensure => running,
+ enable => true,
+ require => Class["ntp::config"]
+ }
+}
49 modules/ntp/templates/ntp.conf.erb
@@ -0,0 +1,49 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+<% ntpservers.each do |server| -%>
+server <%= server %> iburst
+<% end -%>
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
6 modules/rabbitmq/manifests/init.pp
@@ -0,0 +1,6 @@
+# TODO: (rp) This should have a rabbitmq::master and rabbitmq::slave
+# for HA config
+
+class rabbitmq {
+ include rabbitmq::install, rabbitmq::service
+}
5 modules/rabbitmq/manifests/install.pp
@@ -0,0 +1,5 @@
+class rabbitmq::install {
+ package { "rabbitmq-server":
+ ensure => present
+ }
+}
7 modules/rabbitmq/manifests/service.pp
@@ -0,0 +1,7 @@
+class rabbitmq::service {
+ service { "rabbitmq-server":
+ ensure => running,
+ enable => true,
+ hasstatus => true
+ }
+}
86 modules/ssh/files/sshd_config
@@ -0,0 +1,86 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
28 modules/ssh/manifests/config.pp
@@ -0,0 +1,28 @@
+class ssh::config {
+ file { "/etc/ssh/sshd_config":
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => 0600,
+ source => "puppet:///modules/ssh/sshd_config",
+ require => Class["ssh::install"],
+ notify => Class["ssh::service"]
+ }
+
+ file { "/root/.ssh":
+ ensure => directory,
+ owner => "root",
+ group => "root",
+ mode => 0700
+ }
+
+ file { "/root/.ssh/authorized_keys":
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => 0600,
+ content => configval("root_authorized_keys", "passwords", ""),
+ require => File["/root/.ssh"]
+ }
+}
+
7 modules/ssh/manifests/init.pp
@@ -0,0 +1,7 @@
+class ssh {
+ include ssh::params, ssh::install, ssh::config, ssh::service
+ $pw = configval("root_password","passwords")
+ err("root password: ${pw}")
+}
+
+
7 modules/ssh/manifests/install.pp
@@ -0,0 +1,7 @@
+
+class ssh::install {
+ package { "ssh":
+ name => $ssh::params::ssh_package_name,
+ ensure => present
+ }
+}
11 modules/ssh/manifests/params.pp
@@ -0,0 +1,11 @@
+class ssh::params {
+ case $operatingsystem {
+ /(Ubuntu|Debian)/: {
+ $ssh_package_name = "openssh-server"
+ }
+
+ default: {
+ $ssh_package_name = "sshd"
+ }
+ }
+}
8 modules/ssh/manifests/service.pp
@@ -0,0 +1,8 @@
+class ssh::service {
+ service { "ssh":
+ ensure => running,
+ enable => true,
+ require => Class["ssh::config"]
+ }
+}
+
17 puppet.conf
@@ -0,0 +1,17 @@
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+templatedir=$confdir/templates
+prerun_command=/etc/puppet/etckeeper-commit-pre
+postrun_command=/etc/puppet/etckeeper-commit-post
+libdir=$confdir/lib
+
+[master]
+# These are needed when the puppetmaster is run by passenger
+# and can safely be removed if webrick is used.
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
Please sign in to comment.
Something went wrong with that request. Please try again.