Previous review pointed out some additional modules we probably
aren't using any longer.
Remove the openafs::client section from openstack_project::server
because we're doing this with ansible now.
Depends-On: https://review.opendev.org/733890
Change-Id: Ib5104da9cf7d53b77191f48ec185f5d667d51944
This change will convert kdc03 to a master from a hot standby and will
remove kdc01 from management.
Cutover plan:
Disable kdc01 in ansible emergeny file
Stop run-kprop cron on kdc01
Stop kadmind on kdc01
Execute run-kprop.sh on kdc01
Merge this change
Wait for puppet to convert kdc03 to the master
Confirm that run-kprop works from kdc03 to kdc04
Update dns records as documented in our kerberos docs
Test kadmin works
Delete old kdc01 server
Change-Id: Ib14b11fa1f0a6bc11b0f615ce5b6f6be214b5629
This new Xenial server is being added as a kerberos standby node but
will be used to replace kdc01 as the master once fully configured and
happy as a standby. This replaces the old trusty server.
Note that the server wasn't added to opendev.org as we don't have a
kerberos realm for that domain so that would be a separate activity for
the future.
Change-Id: I4cc5fcd7504c98a7bcd9dc4f2ad57bb5bf8b54bd
Contains a handler to restart crond when tz is changed. Cron service
name differs across distros.
Removes the puppet-timezone usage.
Change-Id: I4e45d0e0ed37214ac491f373ff2d37750e720718
Co-Authored-By: James E. Blair <corvus@inaugust.com>
Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c
Depends-On: https://review.openstack.org/596503
Now that we've got base server stuff rewritten in ansible, remove the
old puppet versions.
Depends-On: https://review.openstack.org/588326
Change-Id: I5c82fe6fd25b9ddaa77747db377ffa7e8bf23c7b
We put in IP restrictions on logging in as root on our servers. Add
bridge.openstack.org's IPs so that we can ansible from it.
Change-Id: Id1cd81c41806cd028d834fb56e1686687d3fb65d
The openafs puppet module also declares a linux-generic-hwe-16.04
package for arm64 as it is required for those modules. This is to
cover the non-afs server case, where the later kernel still works
better anyway. Switch to ensure_packages, which handles if it is
already declared, so everyone can live together in peace.
Change-Id: I72c9423956b7739695a04a5de27f5d89c67240d0
Add a valid aarch64 sources configuration file, and update the
template to deploy the file on a per-architecture basis.
Ensure we install the HWE kernel for arm64 servers
Change-Id: If345e704540ea10828060d26e930a61ce68ed178
Seems puppet under centos doesn't like missing quotes:
Jan 31 16:43:12 git puppet-user[6206]: Parameter mode failed on File[/etc/yum/yum-cron.conf]: The file mode specification must be a string, not 'Fixnum' at /opt/system-config/production/modules/openstack_project/manifests/server.pp:149
Change-Id: I765b408ba79edfa406c69d20407788c26d437052
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
The correct package is yum-cron not yum-crontab.
Change-Id: Iba6f636f83f37f79a9c97f729e4cd2e4634d9e6d
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
yum-crontab is used to manage automatic updates on CentOS, enable
this to ensure our servers are keep up to date like Ubuntu.
Change-Id: If1b8a68de2e16e8d538df71e45ba5865d1278e0e
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
The bash history is an unintended form of documentation and also a way
to see what happened but by default it doesn't tell you when.
Before this change:
$ history
1 uname -a
2 sudo reboot
After this change:
$ history
1 2017-12-20T23:50:28+0000 uname -a
2 2017-12-20T23:50:35+0000 sudo reboot
Note that any entries in the bash history before this change will be
defaulted to when the change takes place.
Change-Id: I4443f00ab050891a16e545315ee88ae24893ac5d
Now that the exim module supports custom arrays of aliases (but has
ceased explicitly providing one for gerrit2), set the gerrit2 alias
for root E-mail delivery on review.o.o and review-dev.o.o. Also
plumb this through openstack_project::server so it can be used for
similar purposes on other servers.
Change-Id: I05df49af6abdf1494bdf0fee1be4cc79ec5b06d9
Depends-On: I2911f157812c127a514196ae58b7609378d7d4e4
We no longer need kdc02.o.o (ubuntu trusty), now that kdc04.o.o
(ubuntu xenial) is online.
Change-Id: I92b879f7a233dc81c0d64153b293ac12f7e72a40
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Now that kdc04.o.o is online, update our base server.pp to use it.
Change-Id: If6341ea41e2121ea367e55bec15813b4538dcbeb
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Now that we have migrated to ubuntu-xenial, we can stop testing on
trusty. We can also clean out old cacti.o.o and cacti01.o.o firewall
rules from our base server.pp.
Change-Id: I84b96de40a79d8103cfce5ec121e13a7d01f729d
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
As we upgrade cacti02.o.o to xenial, we need to allow it access to all
servers to collect stats. We can delete old firewall rules in a
follow patch.
Change-Id: I0bbd3e82fdf8644159dfe82b1dfc5478ef5095bb
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This allows us to more safely specify hosts by name in iptable
rules, as they will be resolved by puppet before being written
to disk.
Change-Id: Ie133ad8246d5907723a6d7cbf14644e0a10cc4e7
Depends-On: I7a0dfbab67bdba72c0a56acc611503795d2bc350
Cloud-init is changing our hostname on servers when we reboot. Stop
this from happening by disabling it.
Change-Id: Ia825a7823d7099870885636e0adb4134c5568715
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Due to a bad puppet-pip patch that I have merged, it was possible for
our virtualenv python installs to be switch to python3. As a result,
now we have a mix of virtualenv versions under python2 and python3 for
our control plane.
As a result, bump virtualenv to the latest version so we can reset the
base versions across all our servers.
Change-Id: I9f2819b697dcffddc9ca7c06bfcf72766ec86d40
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Now that we are running puppet in masterless mode, we don't need to tell
nodes where the puppetmaster is, or what their certname is, nor do we
need to keep running the puppetmaster in Apache. This patch cleans those
things up.
Change-Id: I663af0d9948f2ce3a47cc22ada47c3bbbbf316fa
The zuul workers already have these repos installed by
install_puppet.sh (not for much longer but still).
Change-Id: I52bd7d48586492e8843b47bfb91043f28ea06b78
iptables rules are statically installed on zuul workers by DIB, so we
can move this class from openstack_project::template to
openstack_project::server and remove some related parameters from
openstack_project::template and openstack_project::single_use_slave.
Change-Id: I03db58441674a3f3eea86165c949a7d14425a0b7
Depends-On: I3ee306e46747b77499ff8975cd3d842b09ec2937
single_use_slave does not enable afs so we can move the client class
over to openstack_project::server. We don't remove the afs parameter
from the template class yet because it is needed for the iptables class.
Change-Id: Ibb099d5ffbf40501c27ba5caedd1e94e5ead6827
Now that glean manages our ssh keys for nodepool diskimages, we can
remove this puppet code.
Change-Id: I443258acd37a7df17ab30af48b181570489b9b16
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Limits was recently added for NPM jobs and should be moved into JJB.
Our apt.conf.d changes can be removed, we now have locally APT mirrors
in each region, this should remove the need for these 2 files.
As for the reason for the removal of our 2 apt.conf.d files, I believe
we no longer need to skip translations or apt retry values as each
cloud region has local AFS repos for APT.
However, I plan to keep an eye on this and we can always add these
files back into DIB elements if it becomes an issue.
Change-Id: Iafec2c547f65386805822ff2b0ba9a418c962a8e
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We no longer need to manage sudoers, as we do this with DIB elements
now.
Change-Id: Ic558953ae2ba04c78408f43138495200fc9395dc
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Remove rsyslog from diskimages, as we want to manage it outside of
puppet.
Change-Id: I55b608edb826e9614682bb372898414c543a4865
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This drops the puppet dependency from our diskimages.
Change-Id: I653b5f31ce7075e455de8617c8604e78fc7eb449
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We don't need to stop the puppet service in single_use_slave, so as part
of emptying out openstack_project::template, move that resource
to openstack_project::server.
We still need to disable the service during the image build so add that
to the install_puppet.sh script.
Change-Id: I11db1b49f083c7a30e7908ba5a4a7df9d4033c9f
This is part of the effort to remove puppet from our diskimage builds.
Change-Id: Ia2926621211e647504b2636606cba4119c17e0cc
Depends-On: I4335eaa7948428a04cd2b4e73bb7dcc024dd7c97
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
First we remove the `include ::pip` from single_use_slave, since it was
already being declared in openstack_project::template and it is a fluke
of puppet that it wasn't causing a duplicate resource error.
Then we move the pip puppet class and the virtualenv package resource
out of openstack_project::template to openstack_project::server. The
virtualenv package should already installed on nodepool workers by DIB.
The pip puppet class does three things:
1. Installs the python devel package, which we are already getting
from DIB
2. Installs pip, which we are already getting from DIB
3. Manages pip.conf. Here in the puppet manifests we're setting the
index URL to the upstream pypi repository, not our mirrors. When
the node is launched in nodepool the configure_mirror.sh ready
script will undo this and configure pip to use our mirrors.
So there should be no need to use the pip class on the nodepool workers.
Change-Id: Icc720e61cd12f31113a6e12482d4903a6772ae69
*-minimal images don't have byobu, whoopsie, or popularity-contest
installed on them, so there is no need to purge them from
single_use_slave. We can move these over to openstack_project::server to
help empty out openstack_project::template.
Change-Id: I3b39a89269e424f3d1c5806f35c743937c92f3f8
single_use_slave turns this off so there is no reason to keep it in the
openstack_project::template class.
This patch also removes the automatic_upgrades parameter from the
single_use_slave class, which is safe because project-config does not
use it.
Change-Id: If4d425cb581f4c5f57fbcdd7eee0622e829cb7ec
single_use_slave does not set the manage_exim parameter in
openstack_project::template to true so there is no reason to manage it
there. We can move the exim class into openstack_project::server to help
empty out openstack_project::template.
Change-Id: I3e933e55af147b9c50a6c2f861919449b8114e0a
We use snmpd for cacti.o.o today, which our workers do no use. As
such, remove so we can reduce our puppet footprint.
Change-Id: Ic26a8e6f2b2fe3d76c36c4ed7bccd8efb7839858
Signed-off-by: Paul Belanger <pabelanger@redhat.com>