The zuul workers already have these repos installed by
install_puppet.sh (not for much longer but still).
Change-Id: I52bd7d48586492e8843b47bfb91043f28ea06b78
iptables rules are statically installed on zuul workers by DIB, so we
can move this class from openstack_project::template to
openstack_project::server and remove some related parameters from
openstack_project::template and openstack_project::single_use_slave.
Change-Id: I03db58441674a3f3eea86165c949a7d14425a0b7
Depends-On: I3ee306e46747b77499ff8975cd3d842b09ec2937
single_use_slave does not enable afs so we can move the client class
over to openstack_project::server. We don't remove the afs parameter
from the template class yet because it is needed for the iptables class.
Change-Id: Ibb099d5ffbf40501c27ba5caedd1e94e5ead6827
Now that glean manages our ssh keys for nodepool diskimages, we can
remove this puppet code.
Change-Id: I443258acd37a7df17ab30af48b181570489b9b16
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Limits was recently added for NPM jobs and should be moved into JJB.
Our apt.conf.d changes can be removed, we now have locally APT mirrors
in each region, this should remove the need for these 2 files.
As for the reason for the removal of our 2 apt.conf.d files, I believe
we no longer need to skip translations or apt retry values as each
cloud region has local AFS repos for APT.
However, I plan to keep an eye on this and we can always add these
files back into DIB elements if it becomes an issue.
Change-Id: Iafec2c547f65386805822ff2b0ba9a418c962a8e
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We no longer need to manage sudoers, as we do this with DIB elements
now.
Change-Id: Ic558953ae2ba04c78408f43138495200fc9395dc
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Remove rsyslog from diskimages, as we want to manage it outside of
puppet.
Change-Id: I55b608edb826e9614682bb372898414c543a4865
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This drops the puppet dependency from our diskimages.
Change-Id: I653b5f31ce7075e455de8617c8604e78fc7eb449
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We don't need to stop the puppet service in single_use_slave, so as part
of emptying out openstack_project::template, move that resource
to openstack_project::server.
We still need to disable the service during the image build so add that
to the install_puppet.sh script.
Change-Id: I11db1b49f083c7a30e7908ba5a4a7df9d4033c9f
This is part of the effort to remove puppet from our diskimage builds.
Change-Id: Ia2926621211e647504b2636606cba4119c17e0cc
Depends-On: I4335eaa7948428a04cd2b4e73bb7dcc024dd7c97
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
First we remove the `include ::pip` from single_use_slave, since it was
already being declared in openstack_project::template and it is a fluke
of puppet that it wasn't causing a duplicate resource error.
Then we move the pip puppet class and the virtualenv package resource
out of openstack_project::template to openstack_project::server. The
virtualenv package should already installed on nodepool workers by DIB.
The pip puppet class does three things:
1. Installs the python devel package, which we are already getting
from DIB
2. Installs pip, which we are already getting from DIB
3. Manages pip.conf. Here in the puppet manifests we're setting the
index URL to the upstream pypi repository, not our mirrors. When
the node is launched in nodepool the configure_mirror.sh ready
script will undo this and configure pip to use our mirrors.
So there should be no need to use the pip class on the nodepool workers.
Change-Id: Icc720e61cd12f31113a6e12482d4903a6772ae69
During the transition from puppet 2.7 to puppet 3.x we needed to
add logic to carefully select what versions of puppet and related
packages would be installed from the puppetlabs apt and yum
repositories. Before puppet 4 was announced, we rightfully feared
accidentally upgrading to backwards-incompatible versions of these
packages and breaking the world.
Now we are completely off of puppet 2.7, so we don't need to keep any
remnants of that around. Moreover, the new packaging system for puppet 4
will make it impossible to accidentally upgrade[1]. The package name has
changed from "puppet" to "puppet-agent", which has facter and hiera etc.
bundled into the same package, and in order to get the new package we
must add a new "puppet collections" repository. So, not only is this
pinning logic not needed to keep us safe, it is also not going to be
useful when we upgrade to puppet 4.
Looking at the puppetlabs repositories[2][3] we are already using the
latest version of the packages we are pinning and Puppet is definitely
not going to add new versions to these repositories.
The $puppet_version variable was leftover from when puppet.conf was
managed by puppet and not ansible so this patch cleans that up as well.
[1] https://docs.puppet.com/puppet/4.9/about_agent.html
[2] http://apt.puppetlabs.com/dists/trusty/main
[3] http://yum.puppetlabs.com/el/7/products/x86_64/
Change-Id: I06b5cd87ee7816b0f929d5e64dc66a5cceca222a
The fedora gem and symlink were added for fedora 18[1]. We no longer
install hiera-puppet (in fact it's been decommissioned[2]) and we don't
need to install the hiera gem, the distro-provided hiera version is
3.0.1 which should be good enough.
[1] https://review.openstack.org/#/c/32449/
[2] https://github.com/puppetlabs/hiera-puppet
Change-Id: Ic70ea22ce4274e7f61816bf36052c3ac7939091d
*-minimal images don't have byobu, whoopsie, or popularity-contest
installed on them, so there is no need to purge them from
single_use_slave. We can move these over to openstack_project::server to
help empty out openstack_project::template.
Change-Id: I3b39a89269e424f3d1c5806f35c743937c92f3f8
single_use_slave turns this off so there is no reason to keep it in the
openstack_project::template class.
This patch also removes the automatic_upgrades parameter from the
single_use_slave class, which is safe because project-config does not
use it.
Change-Id: If4d425cb581f4c5f57fbcdd7eee0622e829cb7ec
single_use_slave does not set the manage_exim parameter in
openstack_project::template to true so there is no reason to manage it
there. We can move the exim class into openstack_project::server to help
empty out openstack_project::template.
Change-Id: I3e933e55af147b9c50a6c2f861919449b8114e0a
Nothing in the template or puppetmaster classes uses any of the params
values. Classes that do use values in the params class, which are
o_p::server, o_p::users and o_p::users_install, include the params class
already either explicitly or by including other classes.
Change-Id: If91ff59e26bdb345f96224603becfb3f937ea90f
We use snmpd for cacti.o.o today, which our workers do no use. As
such, remove so we can reduce our puppet footprint.
Change-Id: Ic26a8e6f2b2fe3d76c36c4ed7bccd8efb7839858
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Once nodepool is installing and fully configuring unbound, we don't need
to manage it in the common openstack_project::template class. This patch
moves them over to openstack_project::server so that it is obvious that
puppet doesn't need to manage them for both single-use workers and
long-lived servers. Eventually the openstack_project::template class
should be empty and we can remove it.
Depends-On: I3905be12acd85581a608d87ba5159cc883343a37
Change-Id: Ie1daae8471d424f373b47262e9d0b21c15affce9
Once nodepool is building images with NTP already installed and enabled,
we don't need to manage it in the common openstack_project::template
class. This patch moves them over to openstack_project::server so that
it is obvious that puppet doesn't need to manage them for both
single-use workers and long-lived servers. Eventually the
openstack_project::template class should be empty and we can remove it.
Depends-On: Iee6babc183dd12cc82ce76ddfde04f2d98ddc4d6
Change-Id: Ie808a5b62014716c8506506fd15f39dba06e76b6
Once nodepool is building worker images with these packages already
installed, we don't need to manage them in the common
openstack_project::template class. This patch moves them over to
openstack_project::server so that it is obvious that puppet doesn't need
to manage them for both single-use workers and long-lived servers.
Eventually the openstack_project::template class should be empty and we
can remove it.
Depends-On: Ie1a0aba57390c9c0b269b4cbb076090ae1de73a9
Change-Id: I31295cdf12941e4adcf87a73418df1d17d9ec3d2
The single use nodepool workers don't need this, so let's slim down the
template class by moving this logic into the server class. As we move
away from running puppet to build images we should eventually end up
with an empty template class that we can delete entirely.
Change-Id: Ie65b2572dfdd74ffdefada57faaf03ff30ccd37f
Move openstack-specific configuration into the openstack_project module.
This was previously hard-coded in the iptables module, but is now
parameterized. Before the parameter can be given a site-agnostic default
value, pass in the needed value here.
Add both the IPs for both the old and new cacti servers as part of the
service migration.
Change-Id: I173ca1efae4644c89cfab68d6beeba0a1dae9ce2
Depends-On: I9394982811f8dcf0d63eccb782de04bf4a047ec7
Needed-By: Ibae45af594fc2b18024fcc2d6ef040afd4ddd926
Because we nolonger poll a puppetmaster with puppet, we can disable
the puppet service on boot. I noticed on ubuntu-xenial nodes it was
taking 2+ minutes for puppet to be started, which is a waste of
resources.
Change-Id: If03f83c73297c223999951b294b8ce675d7eab25
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We need to ensure ntpdate service starts on boot for centos-7.
Currently, ntpd explicitly require ntpdate to be running before
the sync process can happen in ntpd. As a result, if ntpdate is not
running, ntpd will start but fail to sync because of DNS cannot be
resolved.
If the clock is not already synced when ntpd starts, it will enter a
synchronisation phase for a default of 900s that holds up ntp-wait.
Change-Id: I98029a288c9a57f4b4b278b0dfb185609989662d
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We also need to update our root user ssh authorized_keys file to use
IP address, not hostnames.
Change-Id: I579e29a601c1e57caa35b206efb7f03ee63634cd
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We are switching to the IPv6 address because ubuntu-xenial has
disabled DNS lookup in openssh-server by default. As a results, root
can no longer SSH into ubuntu-xenail servers.
Change-Id: Ic796bee28bc04d35785647b003749860f6b26730
Depends-On: I28c5d71e62a62bd27f289a8bd70b235eac213e5c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Since I29a101eb9ea5c2d0da6b7762fe93366f0c0a8999 we use ntp-wait, which
is part of the ntp-perl package on RedHat platforms, but included in
the base ntp package for others. For consistency, add the ntp-perl
package here so we can assume the utility is everywhere.
I have submitted similar upstream (see Jira issue); we could revert
this if it gets accepted.
Change-Id: If59acfb2a950f74d8246424580be3b2bd1409ad3
Since glean only configures the ssh key for the root
user on instances, this is needed so that the nodepool
generated images can be used by users who don't have their
ssh keys baked into the image.
Change-Id: Id09c63920b5565e1cc011eb98cfb132a11060bcc
Depends-On: I704453c6d3091a24e68509650c61efb638aea601
This change is prompted by npm-based builds, which tends to open
many files due to the 'microlibrary' approach that many javascript
projects take. In particular, horizon's npm-based builds were
running into this limit- while the tests were executing well, the
file open limit was exceeded during report generation.
This patch ups the soft limit from 1024 to 4096, and the hard limit
from 4096 to 8192 on all debian systems.
Change-Id: I8fc4a23eb34da88f7076a4c1ef2ec4c975dc450e