From 1f46b8431f26e0d509e56da132399099885bdf06 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 13:14:52 -0700 Subject: [PATCH 01/12] add forwarder role --- hieradata/org/lsst/role/forwarder.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 hieradata/org/lsst/role/forwarder.yaml diff --git a/hieradata/org/lsst/role/forwarder.yaml b/hieradata/org/lsst/role/forwarder.yaml new file mode 100644 index 0000000000..0925767f12 --- /dev/null +++ b/hieradata/org/lsst/role/forwarder.yaml @@ -0,0 +1,24 @@ +--- +classes: + - "profile::core::common" + - "profile::core::debugutils" + - "docker" + - "python" + +# disabling the kernel version check is needed on el7 +docker::overlay2_override_kernel_check: true +docker::storage_driver: "overlay2" +docker::version: "19.03.4" +# ipa docker group is 70014 +docker::socket_group: "70014" +docker::socket_override: true +# install docker-compose at system level +python::version: "python36" +python::pip: "present" +python::dev: "present" +python::virtualenv: "present" +# docker-compose is python3 only +python::python_pips: + "docker-compose": + virtualenv: "system" + ensure: "1.25.0" From fa780bcdc95589f3db34cd87a71b4a1f56d372c8 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 13:15:42 -0700 Subject: [PATCH 02/12] rm p::core::debugutils profile from comcam-fwd02 Provided by forwarder role. --- hieradata/node/comcam-fwd02.cp.lsst.org.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/hieradata/node/comcam-fwd02.cp.lsst.org.yaml b/hieradata/node/comcam-fwd02.cp.lsst.org.yaml index b9ca7c146c..7c785f6178 100644 --- a/hieradata/node/comcam-fwd02.cp.lsst.org.yaml +++ b/hieradata/node/comcam-fwd02.cp.lsst.org.yaml @@ -1,7 +1,6 @@ --- classes: - "profile::ccs::daq_interface" - - "profile::core::debugutils" # XXX mv to permanent role (when known) - "profile::core::nm_dispatch" - "profile::core::sysctl::rp_filter" From dec52fd8cc23d24e266c5e621fef8ee1350b7686 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 13:18:32 -0700 Subject: [PATCH 03/12] change lsst-daq int from p2p2 -> p2p1 --- hieradata/node/comcam-fwd02.cp.lsst.org.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hieradata/node/comcam-fwd02.cp.lsst.org.yaml b/hieradata/node/comcam-fwd02.cp.lsst.org.yaml index 7c785f6178..a579baca6e 100644 --- a/hieradata/node/comcam-fwd02.cp.lsst.org.yaml +++ b/hieradata/node/comcam-fwd02.cp.lsst.org.yaml @@ -6,9 +6,9 @@ classes: profile::core::sysctl::rp_filter::enable: false profile::ccs::common::sysctls: false -profile::ccs::daq_interface::hwaddr: "f8:f2:1e:56:95:f1" -profile::ccs::daq_interface::uuid: "02b6f32f-f0a0-4178-9ecf-7bf349c68897" -profile::ccs::daq_interface::was: "p2p2" +profile::ccs::daq_interface::hwaddr: "f8:f2:1e:56:95:f0" +profile::ccs::daq_interface::uuid: "b92aa237-1b70-4a2b-9bbb-da15a3f0e599" +profile::ccs::daq_interface::was: "p2p1" profile::ccs::daq_interface::mode: "dhcp-client" profile::core::nm_dispatch::interfaces: em1: @@ -38,7 +38,7 @@ network::interfaces_hash: bootproto: "none" onboot: "no" type: "Ethernet" - p2p1: # not connected + p2p2: # not connected bootproto: "none" onboot: "no" type: "Ethernet" From 13bab826dd54592e2dbc6c5e25d8e7b418acfbbb Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 14:02:36 -0700 Subject: [PATCH 04/12] add /var/log/iip dir --- hieradata/org/lsst/role/forwarder.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hieradata/org/lsst/role/forwarder.yaml b/hieradata/org/lsst/role/forwarder.yaml index 0925767f12..ff8bcad6c2 100644 --- a/hieradata/org/lsst/role/forwarder.yaml +++ b/hieradata/org/lsst/role/forwarder.yaml @@ -22,3 +22,9 @@ python::python_pips: "docker-compose": virtualenv: "system" ensure: "1.25.0" +files: + "/var/log/iip": + ensure: "directory" + mode: "0755" + owner: "iip" + group: "iip" From dd0ea1e934307c09a2cfdfec6ad89c559210ef03 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 14:47:24 -0700 Subject: [PATCH 05/12] add p::archive::forwarder --- site/profile/manifests/archive/forwarder.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 site/profile/manifests/archive/forwarder.pp diff --git a/site/profile/manifests/archive/forwarder.pp b/site/profile/manifests/archive/forwarder.pp new file mode 100644 index 0000000000..3ecaa679c0 --- /dev/null +++ b/site/profile/manifests/archive/forwarder.pp @@ -0,0 +1,12 @@ +# @summary +# Generic archiver forwarder host profile +# +class profile::archive::forwarder { + $iip_uid = 61003 + + cron { 'k5start_root': + command => "/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_${iip_uid} > /dev/null 2>&1", + user => 'root', + minute => '*/1', + } +} From 402b06bd549dbd12c46882343ed785bc0925539c Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 14:48:22 -0700 Subject: [PATCH 06/12] include proifile::archive::forwarder --- hieradata/org/lsst/role/forwarder.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hieradata/org/lsst/role/forwarder.yaml b/hieradata/org/lsst/role/forwarder.yaml index ff8bcad6c2..e3c2cb3044 100644 --- a/hieradata/org/lsst/role/forwarder.yaml +++ b/hieradata/org/lsst/role/forwarder.yaml @@ -1,5 +1,6 @@ --- classes: + - "profile::archive::forwarder" - "profile::core::common" - "profile::core::debugutils" - "docker" From 488490d30e051b17adff02ce09029ad644c37e71 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 15:35:34 -0700 Subject: [PATCH 07/12] add /var/tmp/data dir --- hieradata/org/lsst/role/forwarder.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hieradata/org/lsst/role/forwarder.yaml b/hieradata/org/lsst/role/forwarder.yaml index e3c2cb3044..e8734777e4 100644 --- a/hieradata/org/lsst/role/forwarder.yaml +++ b/hieradata/org/lsst/role/forwarder.yaml @@ -29,3 +29,8 @@ files: mode: "0755" owner: "iip" group: "iip" + "/var/tmp/data": + ensure: "directory" + mode: "0755" + owner: "iip" + group: "iip" From 46ffbf1a1f16a59677f660757f3877c715f5b53b Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 15:40:40 -0700 Subject: [PATCH 08/12] add keytab_base64 param --- site/profile/manifests/archive/forwarder.pp | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/site/profile/manifests/archive/forwarder.pp b/site/profile/manifests/archive/forwarder.pp index 3ecaa679c0..f66a75fe25 100644 --- a/site/profile/manifests/archive/forwarder.pp +++ b/site/profile/manifests/archive/forwarder.pp @@ -1,12 +1,27 @@ # @summary # Generic archiver forwarder host profile # -class profile::archive::forwarder { - $iip_uid = 61003 +# @param keytab_base64 +# base64 encoded krb5 keytab for the iip user +# +class profile::archive::forwarder( + String $keytab_base64, +) { + $iip_uid = 61003 + $iip_keytab = '/home/iip/.keytab' + + file { $iip_keytab: + ensure => file, + owner => 'iip', + group => 'iip', + mode => '0400', + content => base64('decode', $keytab_base64), + } cron { 'k5start_root': - command => "/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_${iip_uid} > /dev/null 2>&1", + command => "/usr/bin/k5start -f ${iip_keytab} -U -o iip -k /tmp/krb5cc_${iip_uid} -H 60 > /dev/null 2>&1", user => 'root', minute => '*/1', + require => File[$iip_keytab], } } From eb9cae5a3d01eb18b8403d0ae707fa2a7af0ab52 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 16:19:49 -0700 Subject: [PATCH 09/12] add profile::core::k5login --- site/profile/manifests/core/k5login.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 site/profile/manifests/core/k5login.pp diff --git a/site/profile/manifests/core/k5login.pp b/site/profile/manifests/core/k5login.pp new file mode 100644 index 0000000000..1e7f505d3f --- /dev/null +++ b/site/profile/manifests/core/k5login.pp @@ -0,0 +1,13 @@ +# @summary +# Generates k5login resoures +# +# @param k5login +# Hash of k5login resources to create +# +class profile::core::k5login ( + Optional[Hash[String, Hash]] $k5login = undef, +) { + if $k5login { + ensure_resources('k5login', $k5login) + } +} From 0b13825dca6e8319924dfb758eb965c46f177f83 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 16:20:48 -0700 Subject: [PATCH 10/12] add p::core::k5login to p::core::common --- site/profile/manifests/core/common.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profile/manifests/core/common.pp b/site/profile/manifests/core/common.pp index cb4310ff00..7af7c9df60 100644 --- a/site/profile/manifests/core/common.pp +++ b/site/profile/manifests/core/common.pp @@ -51,6 +51,7 @@ include profile::core::dielibwrapdie include profile::core::hardware include profile::core::ipa + include profile::core::k5login include profile::core::selinux include resolv_conf include rsyslog From ac9eea48c8043d341a3b830f1386213db8b84492 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 16:24:18 -0700 Subject: [PATCH 11/12] add saluser .k5login for atarchiver --- hieradata/node/atarchiver.cp.lsst.org.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hieradata/node/atarchiver.cp.lsst.org.yaml b/hieradata/node/atarchiver.cp.lsst.org.yaml index 49816a6e78..93722e2720 100644 --- a/hieradata/node/atarchiver.cp.lsst.org.yaml +++ b/hieradata/node/atarchiver.cp.lsst.org.yaml @@ -101,3 +101,9 @@ nfs::client_mounts: share: "home" server: "nfs1.cp.lsst.org" atboot: true + +profile::core::k5login::k5login: + "/home/saluser/.k5login": + ensure: "present" + principals: + - "iip/comcam-fwd02.cp.lsst.org@LSST.CLOUD" From 794dc85ec7eade45ea11a5e5cfc6b8aec691f1e0 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 12 Jan 2021 16:59:06 -0700 Subject: [PATCH 12/12] add saluser .k5login for comcam-arctl01 --- hieradata/node/comcam-arctl01.cp.lsst.org.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hieradata/node/comcam-arctl01.cp.lsst.org.yaml b/hieradata/node/comcam-arctl01.cp.lsst.org.yaml index 030f779d01..0a0d2c0715 100644 --- a/hieradata/node/comcam-arctl01.cp.lsst.org.yaml +++ b/hieradata/node/comcam-arctl01.cp.lsst.org.yaml @@ -106,3 +106,9 @@ nfs::client_mounts: share: "lsstdata" server: "%{facts.fqdn}" atboot: true + +profile::core::k5login::k5login: + "/home/saluser/.k5login": + ensure: "present" + principals: + - "iip/comcam-fwd01.cp.lsst.org@LSST.CLOUD"