diff --git a/manifests/params.pp b/manifests/params.pp index c3039b8..6ccb6ae 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -132,10 +132,10 @@ class puppet_cd::params ( ) { # facts - $fqdn = $facts['networking']['fqdn'] - $domain = $facts['networking']['domain'] - $os_name = $facts['os']['name'] - $os_release = $facts['os']['release']['major'] + $fqdn = $facts['networking']['fqdn'] + $domain = $facts['networking']['domain'] + $os_name = $facts['os']['name'] + $os_release = $facts['os']['release']['major'] # directories ## puppet @@ -149,10 +149,12 @@ class puppet_cd::params ( $pt_rundir_master = '/var/run/puppetlabs/puppetserver' $pt_vardir = '/opt/puppetlabs/puppet/cache' $pt_vardir_master = '/opt/puppetlabs/server/data/puppetserver' - ## r10k $pt_r10k_dir = "${pt_main_dir}/r10k" $pt_r10k_webhook_dir = '/etc/r10k-webhook' +## puppetdb + $pt_puppetdb_dir = '/etc/puppetlabs/puppetdb' + $pt_puppetdb_conf_dir = "${pt_puppetdb_dir}/conf.d" # files ## puppet @@ -165,13 +167,31 @@ class puppet_cd::params ( $pt_routes_erb = 'puppet_cd/puppetdb/routes.yaml.erb' $pt_node_rb_file = "${pt_puppetdir}/node.rb" $pt_node_rb_erb = 'puppet_cd/puppetdb/node.rb.erb' - ## r10k $pt_r10k_file = "${pt_r10k_dir}/r10k.yaml" $pt_r10k_erb = 'puppet_cd/r10k/r10k.yaml.erb' $pt_webhook_link = 'ln -sf /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/' $pt_webhook_service_file = '/etc/systemd/system/r10k_gitlab_webhook.service' $pt_webhook_service_erb = 'puppet_cd/r10k/r10k_webhook_service.erb' +## puppetdb + $pt_bootstrap_conf_file = "${pt_puppetdb_dir}/bootstrap.cfg" + $pt_bootstrap_conf_erb = 'puppet_cd/puppetdb/bootstrap.cfg.erb' + $pt_logback_conf_file = "${pt_puppetdb_dir}/logback.xml" + $pt_logback_conf_erb = 'puppet_cd/puppetdb/logback.xml.erb' + $pt_logging_conf_file = "${pt_puppetdb_dir}/request-logging.xml" + $pt_logging_conf_erb = 'puppet_cd/puppetdb/request_logging.xml.erb' + $pt_auth_conf_file = "${pt_puppetdb_conf_dir}/auth.conf" + $pt_auth_conf_erb = 'puppet_cd/puppetdb/auth.conf.erb' + $pt_config_ini_file = "${pt_puppetdb_conf_dir}/config.ini" + $pt_config_ini_erb = 'puppet_cd/puppetdb/config.ini.erb' + $pt_db_ini_file = "${pt_puppetdb_conf_dir}/database.ini" + $pt_db_ini_erb = 'puppet_cd/puppetdb/database.ini.erb' + $pt_jetty_ini_file = "${pt_puppetdb_conf_dir}/jetty.ini" + $pt_jetty_ini_erb = 'puppet_cd/puppetdb/jetty.ini.erb' + $pt_repl_ini_file = "${pt_puppetdb_conf_dir}/repl.ini" + $pt_repl_ini_erb = 'puppet_cd/puppetdb/repl.ini.erb' + $pt_service_conf_file = '/usr/lib/systemd/system/puppetdb.service' + $pt_service_conf_erb = 'puppet_cd/puppetdb/service.conf.erb' # service $pt_server_service = 'puppetserver' diff --git a/manifests/puppetdb/dirs.pp b/manifests/puppetdb/dirs.pp new file mode 100644 index 0000000..16748af --- /dev/null +++ b/manifests/puppetdb/dirs.pp @@ -0,0 +1,34 @@ +## puppet_cd::puppetdb::dirs.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages directories for the puppetdb section +############################################################################### +class puppet_cd::puppetdb::dirs ( + +) inherits puppet_cd::params { + if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { + require puppet_cd::main::install + + file { $pt_puppetdb_dir: + ensure => directory, + owner => 'puppetdb', + group => 'puppetdb', + mode => '0750', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + } + + file { $pt_puppetdb_conf_dir: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + } + } +} diff --git a/manifests/puppetdb/files.pp b/manifests/puppetdb/files.pp new file mode 100644 index 0000000..e09d55a --- /dev/null +++ b/manifests/puppetdb/files.pp @@ -0,0 +1,131 @@ +## puppet_cd::puppetdb::files.pp +# Module name: puppet_cd +# Author: Arne Teuke (arne_teuke@confdroid) +# @summary Class manages config files for the puppetdb section +############################################################################### +class puppet_cd::puppetdb::files ( + +) inherits puppet_cd::params { + if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { + require puppet_cd::puppetdb::dirs + + # bootstrap.cfg + file { $pt_bootstrap_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_bootstrap_conf_erb), + notify => Service[$pt_db_service], + } + # logback.xml + file { $pt_logback_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_logback_conf_erb), + notify => Service[$pt_db_service], + } + # request-logging.xml + file { $pt_logging_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_logging_conf_erb), + notify => Service[$pt_db_service], + } + # service config + file { $pt_service_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => systemd_unit_file_t, + seluser => system_u, + content => template($pt_service_conf_erb), + notify => Service[$pt_db_service], + } + # conf.d files + ## auth.conf + file { $pt_auth_conf_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_auth_conf_erb), + notify => Service[$pt_db_service], + } + # config.ini + file { $pt_config_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_config_ini_erb), + notify => Service[$pt_db_service], + } + # database.ini + file { $pt_db_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_db_ini_erb), + notify => Service[$pt_db_service], + } + # jetty.ini + file { $pt_jetty_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_jetty_ini_erb), + notify => Service[$pt_db_service], + } + # repl.ini + file { $pt_repl_ini_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_repl_ini_erb), + notify => Service[$pt_db_service], + } + } +} diff --git a/manifests/server/service.pp b/manifests/server/service.pp index cd31493..5e6e1b7 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -41,6 +41,7 @@ class puppet_cd::server::service ( if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { require puppet_cd::firewall::iptables + require puppet_cd::puppetdb::files service { $pt_db_service: ensure => running, diff --git a/templates/puppetdb/auth.conf.erb b/templates/puppetdb/auth.conf.erb new file mode 100644 index 0000000..b1535b2 --- /dev/null +++ b/templates/puppetdb/auth.conf.erb @@ -0,0 +1,50 @@ +authorization: { + version: 1 + rules: [ + { + # Allow unauthenticated access to the status service endpoint + match-request: { + path: "/status/v1/services" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - full" + }, + { + match-request: { + path: "/status/v1/simple" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - simple" + }, + { + # Allow nodes to access the metrics service + # for puppetdb, the metrics service is the only + # service using the authentication service + match-request: { + path: "/metrics" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs puppetdb metrics" + }, + { + # Deny everything else. This ACL is not strictly + # necessary, but illustrates the default policy + match-request: { + path: "/" + type: path + } + deny: "*" + sort-order: 999 + name: "puppetlabs deny all" + } + ] +} diff --git a/templates/puppetdb/bootstrap.cfg.erb b/templates/puppetdb/bootstrap.cfg.erb new file mode 100644 index 0000000..280aa9f --- /dev/null +++ b/templates/puppetdb/bootstrap.cfg.erb @@ -0,0 +1,34 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +# This file is used by the application framework (trapperkeeper) to +# determine what services should be loaded at boot time. +# For more info, see: +# https://github.com/puppetlabs/trapperkeeper/wiki/Bootstrapping + +# Web Server +puppetlabs.trapperkeeper.services.webserver.jetty10-service/jetty10-service + +# Webrouting +puppetlabs.trapperkeeper.services.webrouting.webrouting-service/webrouting-service + +# TK metrics - the authorization service is currently only used by the metrics service +puppetlabs.trapperkeeper.services.authorization.authorization-service/authorization-service +puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice +# TK status +puppetlabs.trapperkeeper.services.status.status-service/status-service +puppetlabs.trapperkeeper.services.scheduler.scheduler-service/scheduler-service + +# PuppetDB Services +puppetlabs.puppetdb.cli.services/puppetdb-service +puppetlabs.puppetdb.command/command-service +puppetlabs.puppetdb.pdb-routing/maint-mode-service +puppetlabs.puppetdb.pdb-routing/pdb-routing-service +puppetlabs.puppetdb.config/config-service + +# NREPL +puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service + +# Dashboard redirect for "/" (not "/pdb"): remove to disable +puppetlabs.puppetdb.dashboard/dashboard-redirect-service \ No newline at end of file diff --git a/templates/puppetdb/config.ini.erb b/templates/puppetdb/config.ini.erb new file mode 100644 index 0000000..ae15dc6 --- /dev/null +++ b/templates/puppetdb/config.ini.erb @@ -0,0 +1,20 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +# See README.md for more thorough explanations of each section and +# option. + +[global] +# Store mq/db data in a custom directory +vardir = /opt/puppetlabs/server/data/puppetdb + +# Use an external logback config file +logging-config = /etc/puppetlabs/puppetdb/logback.xml + +[command-processing] +# How many command-processing threads to use, defaults to (CPUs / 2) +# threads = 4 + +# How many threads can write to disk at once, defaults to min(CPUs / 2, 4) +# concurrent-writes = 4 diff --git a/templates/puppetdb/database.ini.erb b/templates/puppetdb/database.ini.erb new file mode 100644 index 0000000..fccd220 --- /dev/null +++ b/templates/puppetdb/database.ini.erb @@ -0,0 +1,17 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +[database] + +# The database address, i.e. //HOST:PORT/DATABASE_NAME +subname = <%= @pt_db_subname %> + +# Connect as a specific user +username = <%= @pt_db_username %> + +# Use a specific password +password = <%= @pt_db_password %> + +# How often (in minutes) to compact the database +gc-interval = <%= @pt_gc_interval %> diff --git a/templates/puppetdb/jetty.ini.erb b/templates/puppetdb/jetty.ini.erb new file mode 100644 index 0000000..174c9b3 --- /dev/null +++ b/templates/puppetdb/jetty.ini.erb @@ -0,0 +1,37 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +[jetty] +# IP address or hostname to listen for clear-text HTTP. To avoid resolution +# issues, IP addresses are recommended over hostnames. +# Default is `localhost`. +# host = + +# Port to listen on for clear-text HTTP. +port = <%= @pt_http_port %> + +# The following are SSL specific settings. They can be configured +# automatically with the tool `puppetdb ssl-setup`, which is normally +# ran during package installation. + +# IP address to listen on for HTTPS connections. Hostnames can also be used +# but are not recommended to avoid DNS resolution issues. To listen on all +# interfaces, use `0.0.0.0`. +ssl-host = 0.0.0.0 + +# The port to listen on for HTTPS connections +ssl-port = <%= @pt_https_port %> + +# Private key path +ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem + +# Public certificate path +ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem + +# Certificate authority path +ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem + +# Access logging configuration path. To turn off access logging +# comment out the line with `access-log-config=...` +access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml diff --git a/templates/puppetdb/logback.xml.erb b/templates/puppetdb/logback.xml.erb new file mode 100644 index 0000000..fb31aad --- /dev/null +++ b/templates/puppetdb/logback.xml.erb @@ -0,0 +1,52 @@ + + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n + + + + + /var/log/puppetlabs/puppetdb/puppetdb.log + true + + /var/log/puppetlabs/puppetdb/puppetdb-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n + + + + + + + + /var/log/puppetlabs/puppetdb/puppetdb-status.log + true + + + /var/log/puppetlabs/puppetdb/puppetdb-status-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + + %m%n + + + + + + + + + + + + + diff --git a/templates/puppetdb/repl.ini.erb b/templates/puppetdb/repl.ini.erb new file mode 100644 index 0000000..c6bcd40 --- /dev/null +++ b/templates/puppetdb/repl.ini.erb @@ -0,0 +1,13 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### + +[nrepl] +# Set to true to enable the remote REPL +enabled = <%= @pt_repl_on %> + +# What port the REPL should listen on +port = <%= @pt_repl_port %> + +# IP address to listen on +host = <%= @pt_repl_host %> diff --git a/templates/puppetdb/request_logging.xml.erb b/templates/puppetdb/request_logging.xml.erb new file mode 100644 index 0000000..10c8a47 --- /dev/null +++ b/templates/puppetdb/request_logging.xml.erb @@ -0,0 +1,17 @@ + + + /var/log/puppetlabs/puppetdb/puppetdb-access.log + true + + /var/log/puppetlabs/puppetdb/puppetdb-access-%d{yyyy-MM-dd}.%i.log.gz + + 200MB + 90 + 1GB + + + %h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D %header{X-Uncompressed-Length} + + + + diff --git a/templates/puppetdb/service.conf.erb b/templates/puppetdb/service.conf.erb new file mode 100644 index 0000000..9f3c5cd --- /dev/null +++ b/templates/puppetdb/service.conf.erb @@ -0,0 +1,51 @@ +############################################################################### +######### File created by Puppet - manual changes will be overwritten ######### +############################################################################### +# +# Local settings can be configured without being overwritten by package upgrades, for example +# if you want to increase puppetdb open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, so create a file named +# "/etc/systemd/system/puppetdb.service.d/limits.conf" containing: +# [Service] +# LimitNOFILE=10000 +# You can confirm it worked by running systemctl daemon-reload +# then running systemctl show puppetdb | grep LimitNOFILE +# +[Unit] +Description=puppetdb Service +After=syslog.target network.target nss-lookup.target + +[Service] +Type=forking +EnvironmentFile=/etc/sysconfig/puppetdb +User=puppetdb +TimeoutStartSec=14400 +TimeoutStopSec=60 +Restart=on-failure +StartLimitBurst=5 +PIDFile=/run/puppetlabs/puppetdb/puppetdb.pid + +# https://tickets.puppetlabs.com/browse/EZ-129 +# Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512' +# was implemented. This is low enough to cause problems for certain applications. In systemd 231, the +# default was changed to be 15% of the default kernel limit. This explicitly sets TasksMax to 4915, +# which should match the default in systemd 231 and later. +# See https://github.com/systemd/systemd/issues/3211#issuecomment-233676333 +TasksMax=4915 + +#set default privileges to -rw-r----- +UMask=027 + + +ExecReload=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb reload +ExecStart=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb start +ExecStop=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb stop + +KillMode=process + +SuccessExitStatus=143 + +StandardOutput=journal + +[Install] +WantedBy=multi-user.target