From 9a5d3c936cffe25aa7d707e7b7cc30eae439d32c Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Wed, 7 Mar 2018 10:00:50 +0100 Subject: [PATCH 01/11] Added protect base and enabling of epel repo --- manifests/apache_agent_cl.pp | 572 +++++++++++----------- templates/apache_agent/rhnplugin.conf.erb | 20 + 2 files changed, 318 insertions(+), 274 deletions(-) create mode 100644 templates/apache_agent/rhnplugin.conf.erb diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index 3f6093b..bda3573 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -45,343 +45,367 @@ $lve_postgres_backend_sed_cmd = '/usr/bin/sed -i "s/db_type = sqlite/db_type = postgresql/" /etc/sysconfig/lvestats2' $lve_postgres_backend_grep_cmd = '/usr/bin/grep "^db_type = postgresql" /etc/sysconfig/lvestats2' + # First we need to add the repo and enable it exec { 'add epel repo': command => '/usr/bin/rpm -Uhv http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', - unless => "/usr/bin/rpm -qi epel-release | /bin/grep -c 'Build Date'" + unless => "/usr/bin/rpm -qi epel-release | /bin/grep -c 'Build Date'", + notify => Exec['enable epel repo'] } - $packages_to_install = [ - 'atomiastatisticscopy', 'httpd', 'cronolog', 'atomia-python-ZSI', 'mod_ssl' - ] - - package { $packages_to_install: - ensure => installed, - require => Exec['add epel repo'], - } - - # Install lve-stats - exec { 'install lve-stats2': - command => '/usr/bin/yum -y install lve-stats --enablerepo=cloudlinux-updates-testing', - unless => '/usr/bin/rpm -qa | /bin/grep -c lve-stats-2', - require => [Package['cagefs']], - } - - exec { 'update lve-stats connection string': - command => "/usr/bin/sed -i 's#connect_string =.*#connect_string = atomia-lve:${cloudlinux_database_password}@${daggre_ip}/lve#' /etc/sysconfig/lvestats2", - unless => "/usr/bin/grep -c 'connect_string = atomia-lve:${cloudlinux_database_password}@${daggre_ip}/lve' /etc/sysconfig/lvestats2", - notify => Service['lvestats'], - require => Exec['install lve-stats2'], - } - - # Set postgres backend - exec { 'set postgres backend': - command => $lve_postgres_backend_sed_cmd, - unless => $lve_postgres_backend_grep_cmd, - notify => Exec['create lve database'], - require => Exec['install lve-stats2'], - } - - exec { 'create lve database': - command => "/usr/sbin/lve-create-db && touch /storage/configuration/cloudlinux/lve_db_${daggre_ip}", - creates => "/storage/configuration/cloudlinux/lve_db_${daggre_ip}", - require => [Exec['set postgres backend'],File['/storage/configuration/cloudlinux']], - } - - service { 'lvestats': - ensure => running, - require => [Exec['install lve-stats2'],Exec['set postgres backend'],Exec['create lve database']], + exec { 'enable epel repo': + command => '/usr/bin/yum-config-manager --enable epel', + refreshonly => true } - # Install alt-php - package { 'lvemanager': + # Now we add the protect base packge in order for CloudLinux to pull the right dependencies + package { 'yum-plugin-protectbase': ensure => installed, + require => Exec['enable epel repo'] } - exec { 'install altphp': - command => '/usr/bin/yum -y groupinstall alt-php', - timeout => 1800, - unless => '/usr/bin/rpm -qa | /bin/grep -c alt-php70', - require => [Package['cagefs']], - } - - file {'/storage/configuration/cloudlinux/lve_packages': - ensure => 'present', - replace => 'no', - content => '#lve packages', + # Create the needed protect file + file { '/etc/yum/pluginconf.d/rhnplugin.conf': + owner => 'root', + group => 'root', mode => '0644', - require => [Package['lvemanager'],File['/storage']], - } - - file {'/storage/configuration/cloudlinux/lve_packages.sh': - ensure => 'present', - source => 'puppet:///modules/atomia/apache_agent/lve_packages.sh', - mode => '0755', - require => [Package['lvemanager'],File['/storage']], + content => template('atomia/apache_agent/rhnplugin.conf.erb'), + require => Package['yum-plugin-protectbase'], } - exec {'enable lve package lookup': - command => '/usr/bin/echo -e "\nCUSTOM_GETPACKAGE_SCRIPT=/storage/configuration/cloudlinux/lve_packages.sh" >> /etc/sysconfig/cloudlinux', - unless => '/bin/grep -c "/storage/configuration/cloudlinux/lve_packages.sh" /etc/sysconfig/cloudlinux' - } - - # Install Cagefs - package { 'cagefs': - ensure => present, - notify => Exec['init cagefs'], - } - - exec { 'init cagefs': - command => '/usr/sbin/cagefsctl --init', - require => Package['cagefs'], - refreshonly => true, - notify => Exec['enable cagefs'], - } + # All the code now goes here as all this above is needed first + if defined(File['/etc/yum/pluginconf.d/rhnplugin.conf']) { + $packages_to_install = [ + 'atomiastatisticscopy', 'httpd', 'cronolog', 'atomia-python-ZSI', 'mod_ssl' + ] - exec { 'enable cagefs': - command => '/usr/sbin/cagefsctl --disable-all', - require => Package['cagefs'], - refreshonly => true, - } + package { $packages_to_install: + ensure => installed, + require => Exec['add epel repo'], + } - # Install mod_lsapi - exec { 'install mod_lsapi': - command => '/usr/bin/yum -y install liblsapi liblsapi-devel mod_lsapi gcc gcc-c++ cmake httpd-devel --enablerepo=cloudlinux-updates-testing', - unless => '/usr/bin/rpm -qa | /bin/grep -c liblsapi', - notify => Exec['setup mod_lsapi'] - } + # Install lve-stats + exec { 'install lve-stats2': + command => '/usr/bin/yum -y install lve-stats --enablerepo=cloudlinux-updates-testing', + unless => '/usr/bin/rpm -qa | /bin/grep -c lve-stats-2', + require => [Package['cagefs']], + } - exec { 'setup mod_lsapi': - command => '/usr/bin/switch_mod_lsapi --setup', - refreshonly => true - } + exec { 'update lve-stats connection string': + command => "/usr/bin/sed -i 's#connect_string =.*#connect_string = atomia-lve:${cloudlinux_database_password}@${daggre_ip}/lve#' /etc/sysconfig/lvestats2", + unless => "/usr/bin/grep -c 'connect_string = atomia-lve:${cloudlinux_database_password}@${daggre_ip}/lve' /etc/sysconfig/lvestats2", + notify => Service['lvestats'], + require => Exec['install lve-stats2'], + } - file { '/etc/httpd/conf.d/lsapi.conf': - owner => 'root', - group => 'root', - mode => '0644', - content => template('atomia/apache_agent/lsapi.conf.erb'), - require => Exec['install mod_lsapi'], - notify => Service['httpd'] - } + # Set postgres backend + exec { 'set postgres backend': + command => $lve_postgres_backend_sed_cmd, + unless => $lve_postgres_backend_grep_cmd, + notify => Exec['create lve database'], + require => Exec['install lve-stats2'], + } + + exec { 'create lve database': + command => "/usr/sbin/lve-create-db && touch /storage/configuration/cloudlinux/lve_db_${daggre_ip}", + creates => "/storage/configuration/cloudlinux/lve_db_${daggre_ip}", + require => [Exec['set postgres backend'],File['/storage/configuration/cloudlinux']], + } - # Install mod_hostinglimits - package { 'mod_hostinglimits': - ensure => present, - require => Package['httpd'], - } + service { 'lvestats': + ensure => running, + require => [Exec['install lve-stats2'],Exec['set postgres backend'],Exec['create lve database']], + } - file { '/etc/httpd/conf.d/modhostinglimits.conf': - owner => 'root', - group => 'root', - mode => '0644', - content => template('atomia/apache_agent/modhostinglimits.conf.erb'), - require => Package['mod_hostinglimits'], - notify => Service['httpd'] - } + # Install alt-php + package { 'lvemanager': + ensure => installed, + } - if $content_share_nfs_location == '' { - $internal_zone = hiera('atomia::active_directory::domain_name','') + exec { 'install altphp': + command => '/usr/bin/yum -y groupinstall alt-php', + timeout => 1800, + unless => '/usr/bin/rpm -qa | /bin/grep -c alt-php70', + require => [Package['cagefs']], + } - package { 'glusterfs-client': ensure => present, } + file {'/storage/configuration/cloudlinux/lve_packages': + ensure => 'present', + replace => 'no', + content => '#lve packages', + mode => '0644', + require => [Package['lvemanager'],File['/storage']], + } - if !defined(File['/storage']) { - file { '/storage': - ensure => directory, - } + file {'/storage/configuration/cloudlinux/lve_packages.sh': + ensure => 'present', + source => 'puppet:///modules/atomia/apache_agent/lve_packages.sh', + mode => '0755', + require => [Package['lvemanager'],File['/storage']], } - fstab::mount { '/storage/content': - ensure => 'mounted', - device => "gluster.${internal_zone}:/web_volume", - options => 'defaults,_netdev', - fstype => 'glusterfs', - require => [Package['glusterfs-client'],File['/storage']], + exec {'enable lve package lookup': + command => '/usr/bin/echo -e "\nCUSTOM_GETPACKAGE_SCRIPT=/storage/configuration/cloudlinux/lve_packages.sh" >> /etc/sysconfig/cloudlinux', + unless => '/bin/grep -c "/storage/configuration/cloudlinux/lve_packages.sh" /etc/sysconfig/cloudlinux' } - fstab::mount { '/storage/configuration': - ensure => 'mounted', - device => "gluster.${internal_zone}:/config_volume", - options => 'defaults,_netdev', - fstype => 'glusterfs', - before => [File['/storage/configuration/cloudlinux'],Exec['create lve database']], - require => [ Package['glusterfs-client'],File['/storage']], + # Install Cagefs + package { 'cagefs': + ensure => present, + notify => Exec['init cagefs'], } - } - else - { - atomia::nfsmount { 'mount_content': - use_nfs3 => '1', - mount_point => '/storage/content', - nfs_location => $content_share_nfs_location, + + exec { 'init cagefs': + command => '/usr/sbin/cagefsctl --init', + require => Package['cagefs'], + refreshonly => true, + notify => Exec['enable cagefs'], } - atomia::nfsmount { 'mount_configuration': - use_nfs3 => '1', - mount_point => '/storage/configuration', - before => [File['/storage/configuration/cloudlinux'],Exec['create lve database']], - nfs_location => $config_share_nfs_location, + exec { 'enable cagefs': + command => '/usr/sbin/cagefsctl --disable-all', + require => Package['cagefs'], + refreshonly => true, } - } - if $should_have_pa_apache == '1' { - package { 'atomia-pa-apache': - ensure => present, - require => [Package['httpd'], Package['cronolog'], Package['atomia-python-ZSI'], Package['mod_ssl'] ], + # Install mod_lsapi + exec { 'install mod_lsapi': + command => '/usr/bin/yum -y install liblsapi liblsapi-devel mod_lsapi gcc gcc-c++ cmake httpd-devel --enablerepo=cloudlinux-updates-testing', + unless => '/usr/bin/rpm -qa | /bin/grep -c liblsapi', + notify => Exec['setup mod_lsapi'] } - file { '/storage/configuration/cloudlinux/phpversions.conf': - ensure => present, + exec { 'setup mod_lsapi': + command => '/usr/bin/switch_mod_lsapi --setup', + refreshonly => true } - package { 'nodejs': - ensure => present, - require => Exec['add epel repo'], + file { '/etc/httpd/conf.d/lsapi.conf': + owner => 'root', + group => 'root', + mode => '0644', + content => template('atomia/apache_agent/lsapi.conf.erb'), + require => Exec['install mod_lsapi'], + notify => Service['httpd'] } - package { 'atomia-cloudlinux-agent': + # Install mod_hostinglimits + package { 'mod_hostinglimits': ensure => present, - require => Package['nodejs'], + require => Package['httpd'], } - service { 'atomia-cloudlinux-agent': - ensure => running, - require => Package['atomia-cloudlinux-agent'], + file { '/etc/httpd/conf.d/modhostinglimits.conf': + owner => 'root', + group => 'root', + mode => '0644', + content => template('atomia/apache_agent/modhostinglimits.conf.erb'), + require => Package['mod_hostinglimits'], + notify => Service['httpd'] } - if $is_master == 1 { - exec { 'sync php versions': - command => "/usr/bin/curl -X PUT -H \"Authorization: ${cloudlinux_agent_secret}\" http://localhost:8000/php/sync -v", - require => [Package['atomia-cloudlinux-agent'], Exec['install altphp'], File['/etc/httpd/conf/phpversions.conf']], + if $content_share_nfs_location == '' { + $internal_zone = hiera('atomia::active_directory::domain_name','') + + package { 'glusterfs-client': ensure => present, } + + if !defined(File['/storage']) { + file { '/storage': + ensure => directory, + } + } + + fstab::mount { '/storage/content': + ensure => 'mounted', + device => "gluster.${internal_zone}:/web_volume", + options => 'defaults,_netdev', + fstype => 'glusterfs', + require => [Package['glusterfs-client'],File['/storage']], + } + + fstab::mount { '/storage/configuration': + ensure => 'mounted', + device => "gluster.${internal_zone}:/config_volume", + options => 'defaults,_netdev', + fstype => 'glusterfs', + before => [File['/storage/configuration/cloudlinux'],Exec['create lve database']], + require => [ Package['glusterfs-client'],File['/storage']], } } + else + { + atomia::nfsmount { 'mount_content': + use_nfs3 => '1', + mount_point => '/storage/content', + nfs_location => $content_share_nfs_location, + } - file { '/etc/httpd/conf/phpversions.conf': - ensure => 'link', - target => '/storage/configuration/cloudlinux/phpversions.conf', - require => [File['/storage/configuration/cloudlinux'], File['/storage/configuration/cloudlinux/phpversions.conf']], - force => true, + atomia::nfsmount { 'mount_configuration': + use_nfs3 => '1', + mount_point => '/storage/configuration', + before => [File['/storage/configuration/cloudlinux'],Exec['create lve database']], + nfs_location => $config_share_nfs_location, + } } - file {'/etc/cl.selector/symlinks.rules': + if $should_have_pa_apache == '1' { + package { 'atomia-pa-apache': + ensure => present, + require => [Package['httpd'], Package['cronolog'], Package['atomia-python-ZSI'], Package['mod_ssl'] ], + } + + file { '/storage/configuration/cloudlinux/phpversions.conf': + ensure => present, + } + + package { 'nodejs': + ensure => present, + require => Exec['add epel repo'], + } + + package { 'atomia-cloudlinux-agent': + ensure => present, + require => Package['nodejs'], + } + + service { 'atomia-cloudlinux-agent': + ensure => running, + require => Package['atomia-cloudlinux-agent'], + } + + if $is_master == 1 { + exec { 'sync php versions': + command => "/usr/bin/curl -X PUT -H \"Authorization: ${cloudlinux_agent_secret}\" http://localhost:8000/php/sync -v", + require => [Package['atomia-cloudlinux-agent'], Exec['install altphp'], File['/etc/httpd/conf/phpversions.conf']], + } + } + + file { '/etc/httpd/conf/phpversions.conf': + ensure => 'link', + target => '/storage/configuration/cloudlinux/phpversions.conf', + require => [File['/storage/configuration/cloudlinux'], File['/storage/configuration/cloudlinux/phpversions.conf']], + force => true, + } + + file {'/etc/cl.selector/symlinks.rules': + ensure => 'present', + content => 'php.d.location = selector', + mode => '0644', + require => [File['/etc/httpd/conf/phpversions.conf']], + notify => Exec['apply-symlinks-rules'], + } + + exec { 'apply-symlinks-rules': + command => '/usr/bin/selectorctl --apply-symlinks-rules', + refreshonly => true + } + } + + #Apply black list when changed on puppetmaster + file {'/etc/cagefs/black.list': ensure => 'present', - content => 'php.d.location = selector', - mode => '0644', - require => [File['/etc/httpd/conf/phpversions.conf']], - notify => Exec['apply-symlinks-rules'], + source => 'puppet:///modules/atomia/apache_agent/black.list', + mode => '0600', + notify => Exec['apply-blacklist'] } - exec { 'apply-symlinks-rules': - command => '/usr/bin/selectorctl --apply-symlinks-rules', + exec { 'apply-blacklist': + command => '/usr/sbin/cagefsctl --force-update', refreshonly => true } - } - - #Apply black list when changed on puppetmaster - file {'/etc/cagefs/black.list': - ensure => 'present', - source => 'puppet:///modules/atomia/apache_agent/black.list', - mode => '0600', - notify => Exec['apply-blacklist'] - } - - exec { 'apply-blacklist': - command => '/usr/sbin/cagefsctl --force-update', - refreshonly => true - } - service { 'httpd': - ensure => running, - } + service { 'httpd': + ensure => running, + } - file { '/etc/httpd/conf.d/atomia-pa-apache.conf': - ensure => present, - content => template('atomia/apache_agent/atomia-pa-apache-cl.conf.erb'), - require => Package['atomia-pa-apache'], - notify => Service['httpd'], - } + file { '/etc/httpd/conf.d/atomia-pa-apache.conf': + ensure => present, + content => template('atomia/apache_agent/atomia-pa-apache-cl.conf.erb'), + require => Package['atomia-pa-apache'], + notify => Service['httpd'], + } - # CloudLinux shared configuration - file { '/storage/configuration/cloudlinux': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0701', - } + # CloudLinux shared configuration + file { '/storage/configuration/cloudlinux': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0701', + } - file { '/storage/configuration/cloudlinux/users.enabled': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0701', - require => File['/storage/configuration/cloudlinux'] - } + file { '/storage/configuration/cloudlinux/users.enabled': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0701', + require => File['/storage/configuration/cloudlinux'] + } - file { '/etc/cagefs/users.enabled': - ensure => 'link', - target => '/storage/configuration/cloudlinux/users.enabled', - require => File['/storage/configuration/cloudlinux'], - force => true, - } + file { '/etc/cagefs/users.enabled': + ensure => 'link', + target => '/storage/configuration/cloudlinux/users.enabled', + require => File['/storage/configuration/cloudlinux'], + force => true, + } - file { '/storage/configuration/cloudlinux/cagefs_var': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0751', - require => File['/storage/configuration/cloudlinux'] - } + file { '/storage/configuration/cloudlinux/cagefs_var': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0751', + require => File['/storage/configuration/cloudlinux'] + } - file { '/var/cagefs': - ensure => 'link', - target => '/storage/configuration/cloudlinux/cagefs_var', - require => [File['/storage/configuration/cloudlinux/cagefs_var'], Exec['init cagefs']], - force => true, - } + file { '/var/cagefs': + ensure => 'link', + target => '/storage/configuration/cloudlinux/cagefs_var', + require => [File['/storage/configuration/cloudlinux/cagefs_var'], Exec['init cagefs']], + force => true, + } - file { '/storage/configuration/cloudlinux/cagefs_container': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - require => File['/storage/configuration/cloudlinux'] - } + file { '/storage/configuration/cloudlinux/cagefs_container': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + require => File['/storage/configuration/cloudlinux'] + } - file { '/etc/container': - ensure => 'link', - target => '/storage/configuration/cloudlinux/cagefs_container', - require => [File['/storage/configuration/cloudlinux/cagefs_container'], Exec['init cagefs']], - force => true, - } + file { '/etc/container': + ensure => 'link', + target => '/storage/configuration/cloudlinux/cagefs_container', + require => [File['/storage/configuration/cloudlinux/cagefs_container'], Exec['init cagefs']], + force => true, + } - file { $maps_path: - ensure => directory, - owner => 'root', - group => 'apache', - mode => '2750', - recurse => true, - } + file { $maps_path: + ensure => directory, + owner => 'root', + group => 'apache', + mode => '2750', + recurse => true, + } - file { '/storage/configuration/cloudlinux/cagefs_container/ve.cfg': - ensure => file, - owner => 'root', - group => 'root', - mode => '0644', - replace => 'no', - content => template('atomia/apache_agent/ve.cfg.erb'), - require => File['/etc/container'] - } + file { '/storage/configuration/cloudlinux/cagefs_container/ve.cfg': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + replace => 'no', + content => template('atomia/apache_agent/ve.cfg.erb'), + require => File['/etc/container'] + } - $maps_to_ensure = [ - "${maps_path}/frmrs.map", "${maps_path}/parks.map", "${maps_path}/phpvr.map", "${maps_path}/redrs.map", "${maps_path}/sspnd.map", - "${maps_path}/users.map", "${maps_path}/vhost.map", "${maps_path}/proxy.map" - ] + $maps_to_ensure = [ + "${maps_path}/frmrs.map", "${maps_path}/parks.map", "${maps_path}/phpvr.map", "${maps_path}/redrs.map", "${maps_path}/sspnd.map", + "${maps_path}/users.map", "${maps_path}/vhost.map", "${maps_path}/proxy.map" + ] - file { $maps_to_ensure: - ensure => present, - owner => 'root', - group => 'apache', - mode => '0440', - require => File[$maps_path], + file { $maps_to_ensure: + ensure => present, + owner => 'root', + group => 'apache', + mode => '0440', + require => File[$maps_path], + } } - } diff --git a/templates/apache_agent/rhnplugin.conf.erb b/templates/apache_agent/rhnplugin.conf.erb new file mode 100644 index 0000000..ae0068d --- /dev/null +++ b/templates/apache_agent/rhnplugin.conf.erb @@ -0,0 +1,20 @@ +[main] +enabled = 1 +gpgcheck = 1 +timeout = 120 +<% if @operatingsystemmajrelease == "7" %> + +[cloudlinux-x86_64-server-7] +protect = 1 +<% elsif @operatingsystemmajrelease == "6" %> + +[cloudlinux-x86_64-server-6] +protect = 1 +<% else %> + +[cloudlinux-x86_64-server-5] +protect = 1 +<% end %> + +[cloudlinux-base] +protect = 1 \ No newline at end of file From 15a23feaeb584b7e582b33f0f3114f437627a8a3 Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Wed, 7 Mar 2018 10:56:49 +0100 Subject: [PATCH 02/11] more elegant erb file, and first protect base then epel --- manifests/apache_agent_cl.pp | 35 +++++++++++++---------- templates/apache_agent/rhnplugin.conf.erb | 12 +------- 2 files changed, 21 insertions(+), 26 deletions(-) diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index bda3573..b7ded2e 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -45,22 +45,9 @@ $lve_postgres_backend_sed_cmd = '/usr/bin/sed -i "s/db_type = sqlite/db_type = postgresql/" /etc/sysconfig/lvestats2' $lve_postgres_backend_grep_cmd = '/usr/bin/grep "^db_type = postgresql" /etc/sysconfig/lvestats2' - # First we need to add the repo and enable it - exec { 'add epel repo': - command => '/usr/bin/rpm -Uhv http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', - unless => "/usr/bin/rpm -qi epel-release | /bin/grep -c 'Build Date'", - notify => Exec['enable epel repo'] - } - - exec { 'enable epel repo': - command => '/usr/bin/yum-config-manager --enable epel', - refreshonly => true - } - # Now we add the protect base packge in order for CloudLinux to pull the right dependencies package { 'yum-plugin-protectbase': - ensure => installed, - require => Exec['enable epel repo'] + ensure => installed } # Create the needed protect file @@ -70,10 +57,28 @@ mode => '0644', content => template('atomia/apache_agent/rhnplugin.conf.erb'), require => Package['yum-plugin-protectbase'], + notify => Exec['add epel repo'] + } + + # First we need to add the repo and enable it + exec { 'add epel repo': + command => '/usr/bin/rpm -Uhv http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', + unless => "/usr/bin/rpm -qi epel-release | /bin/grep -c 'Build Date'", + notify => Exec['enable epel repo'], + refreshonly => true + } + + exec { 'enable epel repo': + command => '/usr/bin/yum-config-manager --enable epel && touch /etc/yum.repos.d/epelisenabled', + refreshonly => true + } -> + file { '/etc/yum.repos.d/epelisenabled': + ensure => 'file', + content => '1' } # All the code now goes here as all this above is needed first - if defined(File['/etc/yum/pluginconf.d/rhnplugin.conf']) { + if defined(File['/etc/yum.repos.d/epelisenabled']) { $packages_to_install = [ 'atomiastatisticscopy', 'httpd', 'cronolog', 'atomia-python-ZSI', 'mod_ssl' ] diff --git a/templates/apache_agent/rhnplugin.conf.erb b/templates/apache_agent/rhnplugin.conf.erb index ae0068d..2bb2e65 100644 --- a/templates/apache_agent/rhnplugin.conf.erb +++ b/templates/apache_agent/rhnplugin.conf.erb @@ -2,19 +2,9 @@ enabled = 1 gpgcheck = 1 timeout = 120 -<% if @operatingsystemmajrelease == "7" %> -[cloudlinux-x86_64-server-7] +[cloudlinux-x86_64-server-<%= @operatingsystemmajrelease %>] protect = 1 -<% elsif @operatingsystemmajrelease == "6" %> - -[cloudlinux-x86_64-server-6] -protect = 1 -<% else %> - -[cloudlinux-x86_64-server-5] -protect = 1 -<% end %> [cloudlinux-base] protect = 1 \ No newline at end of file From 7726d2aecb81aedbc834bca32e494a09c98ec77d Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Thu, 8 Mar 2018 14:45:40 +0100 Subject: [PATCH 03/11] fix according to Bane specification the protect and epel repo, also added firewall rules, auto run should work --- manifests/apache_agent_cl.pp | 59 +++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index b7ded2e..92841d4 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -49,7 +49,7 @@ package { 'yum-plugin-protectbase': ensure => installed } - + -> # Create the needed protect file file { '/etc/yum/pluginconf.d/rhnplugin.conf': owner => 'root', @@ -57,35 +57,32 @@ mode => '0644', content => template('atomia/apache_agent/rhnplugin.conf.erb'), require => Package['yum-plugin-protectbase'], - notify => Exec['add epel repo'] + notify => Exec['add epel repo'] } - + -> # First we need to add the repo and enable it exec { 'add epel repo': command => '/usr/bin/rpm -Uhv http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', unless => "/usr/bin/rpm -qi epel-release | /bin/grep -c 'Build Date'", + require => [Package['yum-plugin-protectbase'], File['/etc/yum/pluginconf.d/rhnplugin.conf']], notify => Exec['enable epel repo'], refreshonly => true } - + -> exec { 'enable epel repo': - command => '/usr/bin/yum-config-manager --enable epel && touch /etc/yum.repos.d/epelisenabled', + command => '/usr/bin/yum-config-manager --enable epel', refreshonly => true - } -> - file { '/etc/yum.repos.d/epelisenabled': - ensure => 'file', - content => '1' } # All the code now goes here as all this above is needed first - if defined(File['/etc/yum.repos.d/epelisenabled']) { $packages_to_install = [ 'atomiastatisticscopy', 'httpd', 'cronolog', 'atomia-python-ZSI', 'mod_ssl' ] package { $packages_to_install: ensure => installed, - require => Exec['add epel repo'], + require => Exec['enable epel repo'], + notify => Exec['apply-firewall-httpd'] } # Install lve-stats @@ -109,7 +106,7 @@ notify => Exec['create lve database'], require => Exec['install lve-stats2'], } - + exec { 'create lve database': command => "/usr/sbin/lve-create-db && touch /storage/configuration/cloudlinux/lve_db_${daggre_ip}", creates => "/storage/configuration/cloudlinux/lve_db_${daggre_ip}", @@ -122,8 +119,9 @@ } # Install alt-php - package { 'lvemanager': + package { 'lvemanager': ensure => installed, + require => [Package['cagefs']], } exec { 'install altphp': @@ -155,8 +153,9 @@ # Install Cagefs package { 'cagefs': - ensure => present, - notify => Exec['init cagefs'], + ensure => present, + require => [Exec['enable epel repo'], Package[$packages_to_install]], + notify => Exec['init cagefs'], } exec { 'init cagefs': @@ -176,6 +175,7 @@ exec { 'install mod_lsapi': command => '/usr/bin/yum -y install liblsapi liblsapi-devel mod_lsapi gcc gcc-c++ cmake httpd-devel --enablerepo=cloudlinux-updates-testing', unless => '/usr/bin/rpm -qa | /bin/grep -c liblsapi', + require => Package['cagefs'], notify => Exec['setup mod_lsapi'] } @@ -256,6 +256,7 @@ package { 'atomia-pa-apache': ensure => present, require => [Package['httpd'], Package['cronolog'], Package['atomia-python-ZSI'], Package['mod_ssl'] ], + notify => Exec['apply-firewall-apache-agent'] } file { '/storage/configuration/cloudlinux/phpversions.conf': @@ -264,12 +265,13 @@ package { 'nodejs': ensure => present, - require => Exec['add epel repo'], + require => Package['cagefs'], } package { 'atomia-cloudlinux-agent': ensure => present, require => Package['nodejs'], + notify => Exec['apply-firewall-cl-agent'] } service { 'atomia-cloudlinux-agent': @@ -304,12 +306,13 @@ refreshonly => true } } - + #Apply black list when changed on puppetmaster file {'/etc/cagefs/black.list': ensure => 'present', source => 'puppet:///modules/atomia/apache_agent/black.list', mode => '0600', + require => Package['cagefs'], notify => Exec['apply-blacklist'] } @@ -322,6 +325,25 @@ ensure => running, } + #Apply the firewall rules when package is installed + exec { 'apply-firewall-httpd': + command => '/usr/bin/firewall-cmd --zone=public --add-port=80/tcp --permanent && /usr/bin/firewall-cmd --reload', + require => Package['httpd'], + unless => '/usr/sbin/iptables -S | /usr/bin/grep "80 "' + } + + exec { 'apply-firewall-cl-agent': + command => '/usr/bin/firewall-cmd --zone=public --add-port=8000/tcp --permanent && /usr/bin/firewall-cmd --reload', + require => Package['atomia-cloudlinux-agent'], + unless => '/usr/sbin/iptables -S | /usr/bin/grep 8000' + } + + exec { 'apply-firewall-apache-agent': + command => '/usr/bin/firewall-cmd --zone=public --add-port=9999/tcp --permanent && /usr/bin/firewall-cmd --reload', + require => Package['atomia-pa-apache'], + unless => '/usr/sbin/iptables -S | /usr/bin/grep 9999' + } + file { '/etc/httpd/conf.d/atomia-pa-apache.conf': ensure => present, content => template('atomia/apache_agent/atomia-pa-apache-cl.conf.erb'), @@ -335,6 +357,7 @@ owner => 'root', group => 'root', mode => '0701', + require => [Package['cagefs']], } file { '/storage/configuration/cloudlinux/users.enabled': @@ -388,6 +411,7 @@ group => 'apache', mode => '2750', recurse => true, + require => [File['/storage/configuration/cloudlinux']], } file { '/storage/configuration/cloudlinux/cagefs_container/ve.cfg': @@ -412,5 +436,4 @@ mode => '0440', require => File[$maps_path], } - } } From f103647b041659cbdafbc19216bf7c9d4e672b45 Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Fri, 9 Mar 2018 15:05:01 +0100 Subject: [PATCH 04/11] removed duplicate declaration from fsagent --- manifests/fsagent.pp | 6 ------ 1 file changed, 6 deletions(-) diff --git a/manifests/fsagent.pp b/manifests/fsagent.pp index e354068..55a773f 100644 --- a/manifests/fsagent.pp +++ b/manifests/fsagent.pp @@ -49,7 +49,6 @@ package { 'g++': ensure => present } package { 'make': ensure => present } package { 'procmail': ensure => present } - package { 'unscd': ensure => present } if !defined(Package['atomia-manager']) { package { 'atomia-manager': ensure => present } } @@ -59,11 +58,6 @@ enable => false, ensure => 'stopped', } - service { 'unscd': - enable => true, - ensure => 'running', - require => Package['unscd'], - } if $::lsbdistrelease == '16.04' { package { [ From ac0d96d489e929dfdd9aded0a975a410c27ce3e4 Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Mon, 12 Mar 2018 09:05:18 +0100 Subject: [PATCH 05/11] fix phpnative.dat file not being created --- manifests/apache_agent_cl.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index 92841d4..0706a56 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -151,6 +151,12 @@ unless => '/bin/grep -c "/storage/configuration/cloudlinux/lve_packages.sh" /etc/sysconfig/cloudlinux' } + #fix selectorctl list of default extensions (missing file) + exec {'create phpnative.dat': + command => '/bin/touch /var/lve/phpnative.dat', + require => [Package['lvemanager']], + } + # Install Cagefs package { 'cagefs': ensure => present, From 5501b08d70af303ace1e01ed5e240ced694d433f Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Mon, 12 Mar 2018 12:47:20 +0100 Subject: [PATCH 06/11] removed unscd because it conflicted with RHEL systems --- manifests/adjoin.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/adjoin.pp b/manifests/adjoin.pp index f8ec30a..e14fb2c 100644 --- a/manifests/adjoin.pp +++ b/manifests/adjoin.pp @@ -153,7 +153,7 @@ group => 'root', mode => '0600', content => template('atomia/adjoin/nscd.conf.erb'), - notify => [ Service['unscd'], Service['nscd'] ], + notify => [ Service['nscd'] ], } } } From f8c0b6169cb998bb9d845f598777ac594d21da5f Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Mon, 12 Mar 2018 12:47:20 +0100 Subject: [PATCH 07/11] Removed unscd because it conflicted with RHEL systems --- manifests/adjoin.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/adjoin.pp b/manifests/adjoin.pp index f8ec30a..163a6c4 100644 --- a/manifests/adjoin.pp +++ b/manifests/adjoin.pp @@ -153,7 +153,6 @@ group => 'root', mode => '0600', content => template('atomia/adjoin/nscd.conf.erb'), - notify => [ Service['unscd'], Service['nscd'] ], } } } From 032b7fe575be594a473fe154d4858194f31f70fb Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Mon, 12 Mar 2018 13:23:20 +0100 Subject: [PATCH 08/11] Fix if /etc/sysconfig/cloudlinux default does not exist, add it --- files/apache_agent/cloudlinux | 5 +++++ manifests/apache_agent_cl.pp | 8 ++++++++ 2 files changed, 13 insertions(+) create mode 100644 files/apache_agent/cloudlinux diff --git a/files/apache_agent/cloudlinux b/files/apache_agent/cloudlinux new file mode 100644 index 0000000..48f9469 --- /dev/null +++ b/files/apache_agent/cloudlinux @@ -0,0 +1,5 @@ +[license_check] +EMAIL=CP +disable_kill_orphaned_cron = N +normalized_user_cpu=Y +CUSTOM_GETPACKAGE_SCRIPT=/storage/configuration/cloudlinux/lve_packages.sh \ No newline at end of file diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index 0706a56..b4b2276 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -146,6 +146,14 @@ require => [Package['lvemanager'],File['/storage']], } + # First we need to check if the /etc/sysconfig/cloudlinux exists if not then we need to populate it with defaults + # If the file is already there then we don't create it just do the next exec + file { '/etc/sysconfig/cloudlinux': + ensure => 'present', + replace => 'no', + source => "puppet:///modules/atomia/apache_agent/cloudlinux", + mode => '0644', + } -> exec {'enable lve package lookup': command => '/usr/bin/echo -e "\nCUSTOM_GETPACKAGE_SCRIPT=/storage/configuration/cloudlinux/lve_packages.sh" >> /etc/sysconfig/cloudlinux', unless => '/bin/grep -c "/storage/configuration/cloudlinux/lve_packages.sh" /etc/sysconfig/cloudlinux' From a4f7c74ec2f32d8c7069bb260b531cbb00a63c97 Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Mon, 12 Mar 2018 16:46:47 +0100 Subject: [PATCH 09/11] Added proposed fix to install nagios monitoring after enable repo as it needs some dependencies from EPEL repo (ZELENO) --- manifests/apache_agent_cl.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index b4b2276..b477e01 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -71,6 +71,7 @@ -> exec { 'enable epel repo': command => '/usr/bin/yum-config-manager --enable epel', + before => Class['atomia::nagios::client'], refreshonly => true } From b0001c8effbf7dbf12416552d0eed22dd7af9fd3 Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Wed, 14 Mar 2018 08:40:44 +0100 Subject: [PATCH 10/11] Added fiewall rule for nagios client on CL --- manifests/apache_agent_cl.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index b477e01..00c41f2 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -359,6 +359,12 @@ unless => '/usr/sbin/iptables -S | /usr/bin/grep 9999' } + exec { 'apply-firewall-nagios': + command => '/usr/bin/firewall-cmd --zone=public --add-port=5666/tcp --permanent && /usr/bin/firewall-cmd --reload', + require => Class['atomia::nagios::client'], + unless => '/usr/sbin/iptables -S | /usr/bin/grep 5666' + } + file { '/etc/httpd/conf.d/atomia-pa-apache.conf': ensure => present, content => template('atomia/apache_agent/atomia-pa-apache-cl.conf.erb'), From 8e87abef2c6b5d7231f6d34b33b64bc47c978e6b Mon Sep 17 00:00:00 2001 From: Nikola Vitanovic Date: Fri, 16 Mar 2018 11:41:29 +0100 Subject: [PATCH 11/11] Added modifying of services, to ensure the storage/configuration has been mounted before we start the service, also fixed comments to describe more --- Puppetfile | 4 ++- manifests/apache_agent_cl.pp | 61 +++++++++++++++++++++++++++++++++--- 2 files changed, 59 insertions(+), 6 deletions(-) diff --git a/Puppetfile b/Puppetfile index 6be5ab6..0c4ca61 100644 --- a/Puppetfile +++ b/Puppetfile @@ -90,4 +90,6 @@ mod "stdlib", mod 'derdanne-nfs', '1.0.1' -mod 'saz-ssh', '3.0.1' \ No newline at end of file +mod 'saz-ssh', '3.0.1' + +mod 'puppetlabs-inifile', '1.6.0' \ No newline at end of file diff --git a/manifests/apache_agent_cl.pp b/manifests/apache_agent_cl.pp index 00c41f2..0a35743 100644 --- a/manifests/apache_agent_cl.pp +++ b/manifests/apache_agent_cl.pp @@ -146,9 +146,11 @@ mode => '0755', require => [Package['lvemanager'],File['/storage']], } + + # There was a possible bug, that some CloudLinux nodes were not having anything in the /etc/sysconfig/cloudlinux file. + # So we need to check if the /etc/sysconfig/cloudlinux exists if not then we need to populate it with defaults. + # If the file is already there then we don't create it just add the CUSTOM_GETPACKAGE_SCRIPT. - # First we need to check if the /etc/sysconfig/cloudlinux exists if not then we need to populate it with defaults - # If the file is already there then we don't create it just do the next exec file { '/etc/sysconfig/cloudlinux': ensure => 'present', replace => 'no', @@ -159,8 +161,11 @@ command => '/usr/bin/echo -e "\nCUSTOM_GETPACKAGE_SCRIPT=/storage/configuration/cloudlinux/lve_packages.sh" >> /etc/sysconfig/cloudlinux', unless => '/bin/grep -c "/storage/configuration/cloudlinux/lve_packages.sh" /etc/sysconfig/cloudlinux' } + + # Selectorctl was unable to add extensions and so it didn't work properly as it couldn't find the phpnative.dat file. + # Because of this, we need to ensure that there is a phpnative.dat file so it would work. + # The file can be empty so we can just touch it and leave it empty. - #fix selectorctl list of default extensions (missing file) exec {'create phpnative.dat': command => '/bin/touch /var/lve/phpnative.dat', require => [Package['lvemanager']], @@ -321,8 +326,13 @@ refreshonly => true } } + + # Blacklist file allows us to limit the binaries, files, folders that are in CageFS environment. + # Sometimes you need to block certian tools like gcc, g++ not be able to be used by users. + # As the system can use PHP exec() we need to ensure to block anything that can be misued. + # When the black.list file changes on master the rules will be aplied on the client nodes. + # CageFS needs to be updated so we do a force update to apply the new list. - #Apply black list when changed on puppetmaster file {'/etc/cagefs/black.list': ensure => 'present', source => 'puppet:///modules/atomia/apache_agent/black.list', @@ -336,11 +346,18 @@ refreshonly => true } + # We need to ensure the service is running and that it's enabled on startup. + service { 'httpd': ensure => running, + enable => true } - #Apply the firewall rules when package is installed + # These firewall rules are needed on RHEL based systems like CentOS 7 and CloudLinux 7. + # IPtables has been replaced with firewall-cmd, so we add the ports via that tool. + # All these firewall rules need to be aplied after the packages are installed. + # By default only port 22 is allowed and nothing else to listen. + exec { 'apply-firewall-httpd': command => '/usr/bin/firewall-cmd --zone=public --add-port=80/tcp --permanent && /usr/bin/firewall-cmd --reload', require => Package['httpd'], @@ -365,6 +382,40 @@ unless => '/usr/sbin/iptables -S | /usr/bin/grep 5666' } + # We need to adapt systemd services to wait for mounts before we start cagefs and lvestats. + # Finally we update the service to apply the changes to the .service files. + # All of the commands are run sequentially to ensure the right flow. + # ini_settings is added to Puppetfile in order to use this module. + + ini_setting { 'condition LVEctl service file': + ensure => present, + path => '/usr/lib/systemd/system/lvectl.service', + section => 'Unit', + setting => 'ConditionPathIsMountPoint', + value => '/storage/configuration/', + require => [Exec['install lve-stats2'],Exec['set postgres backend'],Exec['create lve database']] + } -> + ini_setting { 'condition LVEstats service file': + ensure => present, + path => '/usr/lib/systemd/system/lvestats.service', + section => 'Unit', + setting => 'ConditionPathIsMountPoint', + value => '/storage/configuration/', + require => [Exec['install lve-stats2'],Exec['set postgres backend'],Exec['create lve database']] + } -> + ini_setting { 'condition CageFS service file': + ensure => present, + path => '/usr/lib/systemd/system/cagefs.service', + section => 'Unit', + setting => 'ConditionPathIsMountPoint', + value => '/storage/configuration/', + require => [Exec['install lve-stats2'],Exec['set postgres backend'],Exec['create lve database'],Package['cagefs']] + } -> + exec { 'apply systemd changes': + command => '/bin/systemctl daemon-reload', + require => [Package['cagefs'],Exec['install lve-stats2'],Exec['set postgres backend'],Exec['create lve database']] + } + file { '/etc/httpd/conf.d/atomia-pa-apache.conf': ensure => present, content => template('atomia/apache_agent/atomia-pa-apache-cl.conf.erb'),