Ubuntu 18.04, round 2

.kitchen.docker.yml

@@ -15,6 +15,9 @@ provisioner:
   hiera_deep_merge: true
   hiera_writer_files:
     - secrets/vault.yaml:
+        telegraf:
+          user: telegraf
+          password: telegraf4fun
         linux_vnc:
           user: cltbld
           group: cltbld
@@ -34,6 +37,9 @@ provisioner:
             bugzilla_api_key: 'BZ_KEY'
   provision_command: locale-gen en_US.UTF-8; apt-get install dbus
   puppet_verbose: true
+  # explodes if specified, defaults to latest/6
+  # https://github.com/petems/puppet-install-shell/issues/137
+  # puppet_version: 6
   puppet_debug: true
   require_chef_for_busser: true
   require_puppet_omnibus: true

.kitchen.yml

@@ -11,6 +11,9 @@ provisioner:
   hiera_deep_merge: true
   hiera_writer_files:
     - secrets/vault.yaml:
+        telegraf:
+          user: telegraf
+          password: telegraf4fun
         linux_vnc:
           user: cltbld
           group: cltbld
@@ -29,6 +32,7 @@ provisioner:
             quarantine_access_token: 'Q_TOKEN'
             bugzilla_api_key: 'BZ_KEY'
   puppet_verbose: true
+  puppet_version: 6
   puppet_debug: true
   require_chef_for_busser: false
   require_puppet_omnibus: true

README.md

@@ -22,7 +22,9 @@
 - #2 Profiles can't be called/included inside (component) modules.
 - #3 Hiera lookups should only be done within profiles and then passed as args to the class.
 
-For more information see: https://puppet.com/docs/pe/2018.1/the_roles_and_profiles_method.html
+More information:
+- https://puppet.com/docs/pe/2018.1/the_roles_and_profiles_method.html
+- https://puppet.com/docs/pe/2017.2/r_n_p_intro.html
 
 ## testing
 

data/common.yaml

@@ -220,6 +220,11 @@ all_users:
 
   bclary:
     - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjEqpf1njrTlmvBMhfKJiQFP92uuS2EFIoL/f2u/39Q83Opk7T3mFOEvmnBNy83J7/k7j21VMzovdylsLk169x6NqPMZZ7sdtNW/WAiImUyWAVkuszkl7rbh8XdgF/UzTi8uHUAVZI/8gsh8g3wQ9h61BOWX7GEag99pho+ECpEGDjb3HXOD4B4vr/qZO5eMIssHzCKDXWchOpwlNPYk5Yij61+Hm/eTobSFLk7Rk1RGjuwcKpJUG8D3MmfTPY7I4YFA+i6TaQJJj/OdWguH599R/SIU6cVoqsQee9GDD2sSxsuDeop7ckM27kfklL2APeG2UBZ8Ugsnw7niJx9LJxk9PUY4ohs2LrNlwrEiB8Uq5yw9PF6Ik3aD4y8mHXSV/xajMA6s67XwdCZd51DwEZ9Q7h8ULsq1kpDvXx7+9OZ/xwucTuiH9sbvf438gx0/E+GAg24qhvQPQdA7+W2T2CJJPEhoe3OlJRibOgFHm1CmV3h6F34e5g8qz2kPGcNEu/toB9+14YyQfP7nZrz4UnHw3bJcNEHvl1JaSDcm2GiE3Nu0MYeAtnmWOA3AFs6IhkEvwFeY3lE1n6oyKB7XGeNxdrRTCMckM/ojoo9Hi3NbZ0giorM5vKcSeOE/iLtSDdaE1cUFdgrBqv6mBGxuGHukWmZNh+Z2o16RhQWZK1NQ== bclary@mozilla.com
+
+  # from relops_common_keys_2020-09-08.yml
+  relops:
+    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0k0dwdH7h8j+zRPprLFeTgRwkgI6mcjQCeEoaqOY2 Relops ed25519 Key
+
   notary1:
     - ssh-rsa AAAA invalid@mozilla.com
   notary2:

modules/disable_services/files/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Enable "0";
+APT::Periodic::Update-Package-Lists "0";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "0";

modules/disable_services/files/20auto-upgrades

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "0";
+APT::Periodic::Unattended-Upgrade "0";

modules/disable_services/files/apport

@@ -0,0 +1 @@
+enabled=0

modules/disable_services/manifests/init.pp

@@ -0,0 +1,79 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+class disable_services() {
+    case $::operatingsystem {
+        'Ubuntu': {
+            # These packages are required by ubuntu-desktop, so we can't uninstall them.
+            # Instead, install but disable them.
+            case $::operatingsystemrelease {
+                '18.04': {
+                    # acpi removed because it can't be disabled this way
+                    #   (never worked in build-puppet/16.04)
+                    $install_and_disable = [ 'cups', 'anacron',
+                        'whoopsie', 'modemmanager', 'apport',
+                        'avahi-daemon', 'network-manager' ]
+                    package {
+                        $install_and_disable:
+                            ensure => latest;
+                    }
+                    service {
+                        $install_and_disable:
+                            ensure   => stopped,
+                            provider => 'systemd',
+                            enable   => false,
+                            require  => Package[$install_and_disable];
+                    }
+
+                    # disable apport via defaults also
+                    file {
+                        '/etc/default/apport':
+                            source => "puppet:///modules/${module_name}/apport";
+                    }
+
+                    # this package and service have different names
+                    package {
+                        'bluez':
+                            ensure => latest;
+                    }
+                    service {
+                        'bluetooth':
+                            ensure   => stopped,
+                            provider => 'systemd',
+                            enable   => false,
+                            require  => Package['bluez'];
+                    }
+
+                    # disable periodic apt actions
+                    file {
+                        '/etc/apt/apt.conf.d/10periodic':
+                          ensure => file,
+                          owner  => 'root',
+                          group  => 'root',
+                          source => "puppet:///modules/${module_name}/10periodic";
+
+                        '/etc/apt/apt.conf.d/20auto-upgrades':
+                          ensure => file,
+                          owner  => 'root',
+                          group  => 'root',
+                          source => "puppet:///modules/${module_name}/20auto-upgrades";
+                    }
+
+                    # stop 'unattended-upgrades' processes, disabled in /etc/apt/apt.conf.d/20auto-upgrades
+                    # but still showing up
+                    service { 'unattended-upgrades':
+                        ensure => stopped,
+                        enable => false,
+                    }
+                }
+                default: {
+                    fail("Unrecognized Ubuntu version ${::operatingsystemrelease}")
+                }
+            }
+        }
+        default: {
+            fail("gui is not supported on ${::operatingsystem}")
+        }
+    }
+}

modules/grub/manifests/init.pp

@@ -0,0 +1,46 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+class grub (
+    # dhouse is testing grub logging, but not working yet
+    $log_aggregator_host = 'log-aggregator2.srv.releng.mdc2.mozilla.com',
+    $log_aggregator_port = 514,
+){
+    case $::operatingsystem {
+        'Ubuntu': {
+            case $::operatingsystemrelease {
+                '18.04': {
+
+                    # 1804/lvm/efi has issues with setting a timeout.
+                    # - we set GRUB_RECORDFAIL_TIMEOUT to work around this.
+                    #
+                    # more info:
+                    # - https://forums.linuxmint.com/viewtopic.php?f=46&t=287026#p1588204
+                    # - https://askubuntu.com/questions/1164407/grub-is-ignoring-settings-in-etc-default-grub-single-boot-system
+
+                    package {
+                        'grub2-common':
+                            ensure => present;
+                    }
+                    file {
+                        '/etc/default/grub':
+                            ensure  => present,
+                            content => template('grub/default-grub.erb'),
+                            notify  => Exec['update-grub'];
+                    }
+                    exec { 'update-grub':
+                        command     => '/usr/sbin/update-grub',
+                        subscribe   => File['/etc/default/grub'],
+                        refreshonly => true,
+                    }
+                }
+                default: {
+                    fail("cannot install on ${::operatingsystemrelease}")
+                }
+            }
+        }
+        default: {
+            fail("cannot install on ${::operatingsystem}")
+        }
+    }
+}

modules/grub/templates/default-grub.erb

@@ -0,0 +1,44 @@
+# If you change this file, run 'update-grub' afterwards to update
+# /boot/grub/grub.cfg.
+# For full documentation of the options in this file, see:
+#   info -f grub -n 'Simple configuration'
+
+GRUB_DEFAULT=0
+GRUB_TIMEOUT_STYLE=menu
+GRUB_TIMEOUT=10
+GRUB_RECORDFAIL_TIMEOUT=10  # EFI/LVM uses this for all boots
+GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+GRUB_CMDLINE_LINUX_DEFAULT=""
+# notes on grub options
+# - 'dis_ucode_ldr': makes certain problematic moonshot nodes boot, otherwise they hang at purple screen
+# - 'debug': debug output for developers, potentially alarming in a red herring way
+GRUB_CMDLINE_LINUX="nosplash console=ttyS0,9600n8r console=tty0 log_host=<%= @log_aggregator_host  %> log_port=<%= @log_aggregator_port  %> dis_ucode_ldr"
+
+# from build-puppet
+#
+# GRUB_HIDDEN_TIMEOUT=0
+# GRUB_HIDDEN_TIMEOUT_QUIET=true
+# GRUB_TIMEOUT=10
+# GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+
+# Uncomment to enable BadRAM filtering, modify to suit your needs
+# This works with Linux (no patch required) and with any kernel that obtains
+# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
+#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
+
+# Uncomment to disable graphical terminal (grub-pc only)
+#GRUB_TERMINAL=console
+
+# The resolution used on graphical terminal
+# note that you can use only modes which your graphic card supports via VBE
+# you can see them in real GRUB with the command `vbeinfo'
+#GRUB_GFXMODE=640x480
+
+# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
+#GRUB_DISABLE_LINUX_UUID=true
+
+# Uncomment to disable generation of recovery mode menu entries
+#GRUB_DISABLE_RECOVERY="true"
+
+# Uncomment to get a beep at grub start
+#GRUB_INIT_TUNE="480 440 1"

modules/grub/templates/default-grub.orig

@@ -0,0 +1,33 @@
+# If you change this file, run 'update-grub' afterwards to update
+# /boot/grub/grub.cfg.
+# For full documentation of the options in this file, see:
+#   info -f grub -n 'Simple configuration'
+
+GRUB_DEFAULT=0
+GRUB_TIMEOUT_STYLE=hidden
+GRUB_TIMEOUT=0
+GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+GRUB_CMDLINE_LINUX="nosplash debug console=ttyS0,9600n8r console=tty0"
+
+# Uncomment to enable BadRAM filtering, modify to suit your needs
+# This works with Linux (no patch required) and with any kernel that obtains
+# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
+#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
+
+# Uncomment to disable graphical terminal (grub-pc only)
+#GRUB_TERMINAL=console
+
+# The resolution used on graphical terminal
+# note that you can use only modes which your graphic card supports via VBE
+# you can see them in real GRUB with the command `vbeinfo'
+#GRUB_GFXMODE=640x480
+
+# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
+#GRUB_DISABLE_LINUX_UUID=true
+
+# Uncomment to disable generation of recovery mode menu entries
+#GRUB_DISABLE_RECOVERY="true"
+
+# Uncomment to get a beep at grub start
+#GRUB_INIT_TUNE="480 440 1"

modules/linux_generic_worker/manifests/init.pp

@@ -20,6 +20,10 @@
     String $generic_worker_sha256,
     Pattern[/^v\d+\.\d+\.\d+$/] $taskcluster_proxy_version,
     String $taskcluster_proxy_sha256,
+    Pattern[/^v\d+\.\d+\.\d+$/] $livelog_version,
+    String                      $livelog_sha256,
+    Pattern[/^v\d+\.\d+\.\d+$/] $start_worker_version,
+    String                      $start_worker_sha256,
     Pattern[/^v\d+\.\d+\.\d+$/] $quarantine_worker_version,
     String $quarantine_worker_sha256,
     String $taskcluster_host = 'taskcluster',
@@ -33,6 +37,10 @@
         generic_worker_sha256     => $generic_worker_sha256,
         taskcluster_proxy_version => $taskcluster_proxy_version,
         taskcluster_proxy_sha256  => $taskcluster_proxy_sha256,
+        livelog_version           => $livelog_version,
+        livelog_sha256            => $livelog_sha256,
+        start_worker_version      => $start_worker_version,
+        start_worker_sha256       => $start_worker_sha256,
         quarantine_worker_version => $quarantine_worker_version,
         quarantine_worker_sha256  => $quarantine_worker_sha256
     }
@@ -76,30 +84,41 @@
     $reboot_command = '/usr/bin/sudo /sbin/reboot --force'
 
     file {
-        default: * => $::shared::file_defaults;
+        default:
+            owner => $user,
+            # TODO: take this as an arg, don't assume
+            group => $user;
 
         ["${user_homedir}/.config",
         "${user_homedir}/.config/autostart"]:
             ensure => directory;
         "${user_homedir}/.config/autostart/gnome-terminal.desktop":
             content => template('linux_generic_worker/gnome-terminal.desktop.erb');
 
-        '/usr/local/bin/run-generic-worker.sh':
+        ["${user_homedir}/tasks", "${user_homedir}/downloads"]:
+            ensure => directory;
+
+        '/usr/local/bin/run-start-worker.sh':
             ensure  => present,
-            content => template('linux_generic_worker/run-generic-worker.sh.erb'),
+            content => template('linux_generic_worker/run-start-worker.sh.erb'),
+            owner   => root,
+            group   => root,
             mode    => '0755';
 
-        '/etc/generic-worker.config':
+        '/etc/start-worker.yml':
             ensure  => present,
-            content => template('linux_generic_worker/generic-worker.config.erb'),
+            content => template('linux_generic_worker/worker-runner-config.yml.erb'),
+            owner   => root,
+            group   => root,
             mode    => '0644';
 
         '/var/log/genericworker':
             ensure => directory,
             mode   => '0777';
     }
 
-    # TODO: see below
+    # TODO: cleanup
+    # from build-puppet, seems not needed for modern talos/raptor
 
     #         host { $taskcluster_host:
     #             ip => '127.0.0.1'

modules/linux_generic_worker/templates/generic-worker.config.erb

@@ -7,11 +7,9 @@
   "clientId": "<%= @taskcluster_client_id %>",
   "deploymentId": "",
   "downloadsDir": "<%= @downloads_dir %>",
-  "idleTimeoutSecs": 345600,
   "instanceId": "",
   "instanceType": "",
   "livelogExecutable": "livelog",
-  "livelogPUTPort": 60022,
   "numberOfTasksToRun": 1,
   "privateIP": "",
   "provisionerId": "releng-hardware",
@@ -20,7 +18,6 @@
   "requiredDiskSpaceMegabytes": 10240,
   "rootURL": "https://firefox-ci-tc.services.mozilla.com",
   "runAfterUserCreation": "",
-  "runTasksAsCurrentUser": true,
   "sentryProject": "generic-worker",
   "shutdownMachineOnIdle": false,
   "shutdownMachineOnInternalError": false,
@@ -31,8 +28,8 @@
   "workerGroup": "<%= @worker_group %>",
   "workerId": "<%= @hostname %>",
   "workerType": "<%= @worker_type %>",
-  "wstAudience": "taskcluster-net",
-  "wstServerURL": "https://websocktunnel.tasks.build",
+  "wstAudience": "firefoxcitc",
+  "wstServerURL": "https://firefoxci-websocktunnel.services.mozilla.com/",
   "workerTypeMetadata": {
     "machine-setup": {
       "config": "https://github.com/mozilla-platform-ops/ronin_puppet/raw/master/modules/linux_generic_worker/templates/generic-worker.config.erb",

modules/linux_generic_worker/templates/gnome-terminal.desktop.erb

@@ -3,11 +3,10 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 [Desktop Entry]
 Type=Application
-Exec=gnome-terminal -x /usr/local/bin/run-generic-worker.sh run --config /etc/generic-worker.config
+Exec=gnome-terminal -x /usr/local/bin/run-start-worker.sh /etc/start-worker.yml
 Hidden=false
 X-GNOME-Autostart-enabled=true
 Name=Generic-Worker
 Comment=Start generic-worker in a terminal session
 StartupNotify=false
 Terminal=false
-Type=Application