Commit 2310d680 authored by Jonathan Lent's avatar Jonathan Lent
Browse files

RHEL7 additions and CentOS manifest tweaks

[os][rpm] Support CentOS via its own class, stub an OEL
class, small fixes to redhat.pp to be generic enough for use
by these RHEL-ish operating systems, edits to allow EL7-
specific repository inclusions {and exclusions} (jlent)
parent 60741797
release/004.036 (2015-04-14)
[os][rpm] Support CentOS via its own class, stub an OEL
class, small fixes to redhat.pp to be generic enough for use
by these RHEL-ish operating systems, edits to allow EL7-
specific repository inclusions {and exclusions} (jlent)
release/004.035 (2015-04-12)
[ipmi] Re-endable ipmievd on jessie by setting the options
......
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;local0.none;local1.none;auth.none;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# General configuration of the basic operating system. Nearly everything
# here is specific to the version of Linux we're running and is handled by
# the appropriate separate class.
class base::os {
case $::operatingsystem {
'Debian': { include base::os::debian }
'Ubuntu': { include base::os::ubuntu }
'RedHat': { include base::os::redhat }
'CentOS': { include base::os::centos }
'OEL': { include base::os::oel }
default: { include base::os::debian }
}
base::os::motd { '/etc/motd':
ensure => present,
template => 'base/os/motd.erb',
}
case $::operatingsystem {
'debian': { include base::os::debian }
'ubuntu': { include base::os::ubuntu }
# assuming everything else is RHELish for now
default: { include base::os::redhat }
}
# Get warranty expiration facts for Dell hardware.
if ($::manufacturer =~ /Dell/) {
......@@ -29,9 +32,10 @@ class base::os {
# Generate an iptables fact for the firewall team to query.
file { '/var/lib/puppet/sufact/su_iptables':
ensure => $osfamily ? {
ensure => $::osfamily ? {
RedHat => '/etc/sysconfig/iptables',
default => '/etc/iptables/general',
}
}
}
#
# Rules specific to CentOS systems. Very thin class because with
# minor edits to redhat.pp, little additional config is needed
class base::os::centos {
# redhat.pp can handle most of the heavy lifting for CentOS
include base::os::redhat
# Preserve the native CentOS repos. These get squashed otherwise
# tested on CentOS6 x86_64,
$centos_repos = [ '/etc/yum.repos.d/CentOS-Base.repo',
'/etc/yum.repos.d/CentOS-Debuginfo.repo',
'/etc/yum.repos.d/CentOS-fasttrack.repo',
'/etc/yum.repos.d/CentOS-Media.repo',
'/etc/yum.repos.d/CentOS-Vault.repo' ]
file { $centos_repos: ensure => present }
# some important packages to have
$centos_pkgs = [ 'dmidecode', 'kmod-openafs' ]
package { $centos_pkgs: ensure => installed }
# a couple of random packages we should have
$centos_opt_pkgs = [ 'vim-enhanced', 'wget' ]
package { $centos_opt_pkgs: ensure => installed }
# group 37 (operator/rpm) does not exist on CentOS
group { 'operator':
ensure => present,
gid => '37',
}
# CentOS repo rpm gpg key
base::rpm::import { 'centos-rpmkey':
url => "/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-${::lsbmajdistrelease}",
signature => $::lsbmajdistrelease ? {
'5' => 'gpg-pubkey-e8562897-459f07a4',
'6' => 'gpg-pubkey-c105b9de-4e0fd3a3',
'7' => 'gpg-pubkey-f4a80eb5-53a7ff4b',
};
}
}
#
# Rules specific to Oracle Enterprise Linux systems.
# Simply stubbing for now
class base::os::oel {
# For now, let's pretend it's just RedHat
include base::os::redhat
}
......@@ -3,121 +3,138 @@
# absolute minimum. Part of the goal of Puppet is to make our systems
# look as similar as possible given the inherent differences between the
# distributions, and that means that changes should be wrapped in
# conceptual packages that do equivalent things on both distributions.
# conceptual packages that do equivalent things on both RHEL and Debian.
# This ruleset is mostly generic enough for use by CentOS, and maybe other
# RHEL-like operating systems. If larger edits are necessary for future
# OS', fork this off into another manifest rather than edit and include it
# The newsyslog module provides the /etc/filter-syslog directory, which we
# need to install rules.
class base::os::redhat {
include base::newsyslog,
base::rpm
include base::newsyslog,
base::os::redhat::syslog,
base::rpm,
epel # our partial EPEL mirror
package {
'emacs-nox': ensure => present;
'kstart':
ensure => present,
require => Base::Rpm::Import['stanford-rpmkey'];
'libxml2': ensure => present; # needed for dell firmware updates
'mailx': ensure => present;
'procmail': ensure => present; # needed for dell firmware updates
}
package {
'emacs-nox': ensure => present;
'kstart':
ensure => present,
require => Base::Rpm::Import['stanford-rpmkey'];
'libxml2': ensure => present; # needed for dell firmware updates
'mailx': ensure => present;
'procmail': ensure => present; # needed for dell firmware updates
'redhat-lsb': ensure => present;
}
base::rpm::import { 'stanford-rpmkey':
url => 'http://yum.stanford.edu/STANFORD-GPG-KEY',
signature => 'gpg-pubkey-af476543-44720559';
}
base::rpm::import { 'stanford-rpmkey':
url => 'http://yum.stanford.edu/STANFORD-GPG-KEY',
signature => 'gpg-pubkey-af476543-44720559';
}
case $::lsbmajdistrelease {
# RHEL4
'4': {
base::rpm::import { 'redhat-rpmkey':
url => '/usr/share/rhn/RPM-GPG-KEY',
signature => 'gpg-pubkey-db42a60e-37ea5438';
}
package {
'kernel-utils': ensure => present;
'slocate': ensure => present;
'lsb-release': ensure => present;
}
# RHEL RPM GPG Key stuff
case $::lsbmajdistrelease {
# RHEL4
'4': {
# CentOS repo handled in centos.pp
if ($::operatingsystem == 'RedHat') {
base::rpm::import { 'redhat-rpmkey':
url => '/usr/share/rhn/RPM-GPG-KEY',
signature => 'gpg-pubkey-db42a60e-37ea5438';
}
# RHEL5 & 6
default: {
base::rpm::import { 'redhat-rpmkey':
url => '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release',
signature => $::lsbmajdistrelease ? {
'5' => 'gpg-pubkey-37017186-45761324',
'6' => 'gpg-pubkey-fd431d51-4ae0493b',
};
}
base::rpm::import { 'dag-rpmkey':
url =>
'/usr/share/doc/rpmforge-release-0.3.6/RPM-GPG-KEY-rpmforge-dag',
signature => 'gpg-pubkey-6b8d79e6-3f49313d';
}
package {
'mlocate': ensure => present;
}
}
}
if ($::lsbmajdistrelease == '5') {
package { 'redhat-lsb': ensure => present }
}
package {
'kernel-utils': ensure => present;
'slocate': ensure => present;
'lsb-release': ensure => present;
}
}
# RHEL4 and 5 need links to krb utils
case $::lsbmajdistrelease {
'4','5': {
file {
'/usr/bin/kinit':
ensure => link,
target => '/usr/kerberos/bin/kinit';
'/usr/bin/kdestroy':
ensure => link,
target => '/usr/kerberos/bin/kdestroy';
'/usr/bin/ksu':
ensure => link,
target => '/usr/kerberos/bin/ksu';
}
# RHEL5+
default: {
# CentOS repo handled in centos.pp
if ($::operatingsystem == 'RedHat') {
base::rpm::import { 'redhat-rpmkey':
url => '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release',
signature => $::lsbmajdistrelease ? {
'5' => 'gpg-pubkey-37017186-45761324',
'6' => 'gpg-pubkey-fd431d51-4ae0493b',
};
}
# RHEL6 just needs a link for fdformat since it moved to /usr/sbin
'6': {
file { '/usr/bin/fdformat':
ensure => link,
target => '/usr/sbin/fdformat';
}
package { 'redhat-lsb-core': ensure => present }
}
if ($::lsbmajdistrelease != '7') {
base::rpm::import { 'dag-rpmkey':
url =>
'/usr/share/doc/rpmforge-release-0.3.6/RPM-GPG-KEY-rpmforge-dag',
signature => 'gpg-pubkey-6b8d79e6-3f49313d';
}
default: {}
}
package {
'mlocate': ensure => present;
}
}
}
# EL7 has its own class
if ($::lsbmajdistrelease == '7') {
include base::os::redhat::el7
}
file {
'/etc/filter-syslog/redhat':
source => 'puppet:///modules/base/os/etc/filter-syslog/redhat',
require => Package['filter-syslog'];
'/etc/profile.d/usrlocal.sh':
source => 'puppet:///modules/base/os/etc/profile.d/usrlocal.sh';
'/etc/profile.d/usrlocal.csh':
source => 'puppet:///modules/base/os/etc/profile.d/usrlocal.csh';
'/etc/profile.d/krbsu.sh':
source => 'puppet:///modules/base/os/etc/profile.d/krbsu.sh';
'/etc/profile.d/krbsu.csh':
source => 'puppet:///modules/base/os/etc/profile.d/krbsu.csh';
'/etc/profile.d/prompt.sh':
source => 'puppet:///modules/base/os/etc/profile.d/prompt.sh';
'/etc/sysconfig/selinux':
ensure => link,
target => '/etc/selinux/config';
'/etc/selinux':
ensure => directory;
'/etc/selinux/config':
source => 'puppet:///modules/base/os/etc/selinux/config';
'/etc/cron.daily/prelink':
ensure => absent;
# RHEL4 and 5 need links to krb utils
case $::lsbmajdistrelease {
'4','5': {
file {
'/usr/bin/kinit':
ensure => link,
target => '/usr/kerberos/bin/kinit';
'/usr/bin/kdestroy':
ensure => link,
target => '/usr/kerberos/bin/kdestroy';
'/usr/bin/ksu':
ensure => link,
target => '/usr/kerberos/bin/ksu';
}
}
# RHEL6 just needs a link for fdformat since it moved to /usr/sbin
'6': {
file { '/usr/bin/fdformat':
ensure => link,
target => '/usr/sbin/fdformat';
}
package { 'redhat-lsb-core': ensure => present }
}
default: {}
}
file {
'/etc/filter-syslog/redhat':
source => 'puppet:///modules/base/os/etc/filter-syslog/redhat',
require => Package['filter-syslog'];
'/etc/profile.d/usrlocal.sh':
source => 'puppet:///modules/base/os/etc/profile.d/usrlocal.sh';
'/etc/profile.d/usrlocal.csh':
source => 'puppet:///modules/base/os/etc/profile.d/usrlocal.csh';
'/etc/profile.d/krbsu.sh':
source => 'puppet:///modules/base/os/etc/profile.d/krbsu.sh';
'/etc/profile.d/krbsu.csh':
source => 'puppet:///modules/base/os/etc/profile.d/krbsu.csh';
'/etc/profile.d/prompt.sh':
source => 'puppet:///modules/base/os/etc/profile.d/prompt.sh';
'/etc/sysconfig/selinux':
ensure => link,
target => '/etc/selinux/config';
'/etc/selinux':
ensure => directory;
'/etc/selinux/config':
source => 'puppet:///modules/base/os/etc/selinux/config';
'/etc/cron.daily/prelink':
ensure => absent;
}
# Set kernel.sysrq = 1 for RH systems
base::sysctl { 'kernel.sysrq': ensure => 1 }
# Set kernel.sysrq = 1 for RH systems
base::sysctl { 'kernel.sysrq': ensure => 1 }
# Disable zeroconf
base::textline { 'NOZEROCONF=yes': ensure => '/etc/sysconfig/network' }
# Disable zeroconf
base::textline { 'NOZEROCONF=yes': ensure => '/etc/sysconfig/network' }
}
# RHEL/CentOS7-specific things
# Summary:
# - Proactively install Perl prerequisites for stanford-* packages
# - Get around the AFS byte-range issue with puppetized configs
# - Disable firewalld in favor of iptables
class base::os::redhat::el7 {
if ($::lsbmajdistrelease == '7') {
# dependencies to run the stanford-* tools
$el7_deps = [ 'perl-Config-Simple', 'perl-Crypt-PasswdMD5',
'perl-Date-Calc', 'perl-IPC-Run', 'perl-Sys-Hostname-Long',
'perl-File-Tail', 'sysstat', 'perl-Net-SNMP',
'perl-Net-Server', 'perl-IO-Multiplex', 'perl-News-Article',
'perl-Perl6-Slurp' ]
package { $el7_deps: ensure => present }
# directory to allow one-time execs
file { '/var/puppet':
ensure => 'directory',
mode => '0644',
}
# remove versions of AFS cell configs installed by openafs-*
# Due to an encoding 'bug' in Puppet, Puppet cannot checksum the AFS
# cell configs provided by openafs* because Puppet encodes via ASCII
# and chokes on a unicode character in the provided file
exec { 'workaround_bytelock_afs_error':
path => "/usr/bin:/usr/sbin:/bin:/sbin",
command => 'rm /usr/vice/etc/CellServDB && rm /usr/vice/etc/CellServDB.dist && touch /var/puppet/afs_bytelock_files_removed',
creates => '/var/puppet/afs_bytelock_files_removed',
require => File[ '/var/puppet' ],
}
# disable firewalld in favor of iptables
exec { 'disable_firewalld':
path => "/usr/bin:/usr/sbin:/bin:/sbin",
command => 'systemctl mask firewalld ; systemctl stop firewalld ; touch /var/puppet/firewalld_disabled',
creates => '/var/puppet/firewalld_disabled',
require => File[ '/var/puppet' ],
}
# allow direct interfacing with iptables
package { 'iptables-services':
ensure => installed,
require => File[ '/var/puppet' ],
}
# enable iptables {now, and at boot}
exec { 'enable_iptables':
path => "/usr/bin:/usr/sbin:/bin:/sbin",
command => 'systemctl enable iptables ; systemctl start iptables ; touch /var/puppet/iptables_enabled',
creates => '/var/puppet/iptables_enabled',
require => Package[ 'iptables-services' ],
}
# enable afs-client {now, and at boot}
exec { 'enable_openafs_client':
path => "/usr/bin:/usr/sbin:/bin:/sbin",
command => 'systemctl enable openafs-client ; systemctl start openafs-client ; touch /var/puppet/openafs_client_enabled',
creates => '/var/puppet/openafs_client_enabled',
require => Package[ 'iptables-services' ],
}
# Warning about the directory facilitating these fixes
file { '/var/puppet/README':
ensure => present,
mode => '0644',
require => File['/var/puppet'],
content =>
"This directory is used to hold lock (state) files by Puppet. This directory
and all contents are provided by modules/base/os/redhat/el7.pp. Removing
files in this directory will trigger restarts of critical system services.\n",
}
}
}
# Since some production RHEL6 hosts (e.g. zm01) have
# overrides to the syslog.conf file, that part of this
# class is being left commented out for now.
#
# RHEL6 ships with rsyslog 5. This is dumb. Newer versions
# are not available from EPEL either. This leaves 3 options:
# - settle for V5 (thus, this class),
# - package a version for placement in Stanford repos,
# - install the vendor-provided RPMs locally
# All three options have their disadvantages. For now,
# we will put our trust in what RHEL packaged.
#
class base::os::redhat::syslog inherits base::syslog {
# assuming only affected on RHEL6 for now
if ($::lsbmajdistrelease == '6') {
Base::Syslog::Config::Rsyslog['/etc/rsyslog.conf'] {
use_v5 => 'true',
use_syslog_conf => 'true',
use_default => 'false',
}
# if these files happen to be present, rsyslog will really
# complain upon restart
$rsyslog_files = [ '/etc/rsyslog.d/20-templates.conf',
'/etc/rsyslog.d/95-default.conf',
'/etc/rsyslog.d/postfix.conf' ]
file { $rsyslog_files: ensure => absent }
# uncomment to enforce a 'sane' global syslog.conf
#Base::Syslog::Config::Syslog['/etc/syslog.conf'] {
# ensure => present,
# source => 'puppet:///modules/s_rpmbuildserver/etc/syslog.conf',
#}
}
}
......@@ -22,7 +22,11 @@ class base::rpm::openafs {
# rpm class. applied to every RHEL system via basenode (os module)
class base::rpm {
include base::rpm::openafs
# for now, openafs packages not available for EL7 in the typical way
if ($::lsbmajdistrelease != '7') {
include base::rpm::openafs
}
case $::osfamily {
'RedHat': {
......@@ -37,15 +41,28 @@ class base::rpm {
}
# Apply to all RHEL releases
base::rpm::yumrepo { "dag-EL${::lsbmajdistrelease}.repo": }
if ($::lsbmajdistrelease != '7') {
base::rpm::yumrepo { "dag-EL${::lsbmajdistrelease}.repo": }
}
base::rpm::yumrepo { "stanford-priv-EL${::lsbmajdistrelease}.repo": }
base::rpm::yumrepo { "stanford-rhel${::lsbmajdistrelease}.repo": }
base::rpm::yumrepo { "stanford-EL${::lsbmajdistrelease}.repo": }
# RedHat-specific repository mirror (e.g. not CentOS)
# This will be going away on 2015-05-31, so not syncing RHEL7 at all
if ($::operatingsystem == 'RedHat' and $::lsbmajdistrelease != '7') {
base::rpm::yumrepo { "stanford-rhel${::lsbmajdistrelease}.repo": }
}
# puppetlabs repo now being mirrored on yum.stanford.edu
file { '/etc/yum.repos.d/puppet-mirror.repo':
ensure => present,
content => template('base/etc/yum.repos.d/puppetlabs-mirror.repo.erb'),
}
# Import puppetlabs key, since it does not change per OS/Arch
# This is technically unneeded if you 'include puppet3', though
# 'puppet3' is a separate shared module
base::rpm::import {'puppetlabs-mirror-rpmkey':
url => 'http://yum.stanford.edu/RPM-GPG-KEY-puppetlabs',
signature => 'gpg-pubkey-4bd6ec30-4ff1e4fa',
}
file {
# newsyslog config to rotate /var/log/yum.log
......@@ -62,39 +79,42 @@ class base::rpm {
base::rpm::yumrepo { 'rhel4.repo': }
}
# RHEL5 & RHEL6
'5','6': {
$yumpackage = $::lsbmajdistrelease ? {
'5' => 'yum-downloadonly',
'6' => 'yum-plugin-downloadonly',
# RHEL5+
default: {
# EL7 includes this plugin by default
if ($::lsbmajdistrelease != '7') {
$yumpackage = $::lsbmajdistrelease ? {
'5' => 'yum-downloadonly',
'6' => 'yum-plugin-downloadonly',
}
package { $yumpackage: ensure => present; }
}
package { $yumpackage: ensure => present; }
# disable yum rhn plugin
exec { 'disable yum rhn plugin':
command => "perl -pe 's/enabled = 1/enabled = 0/' -i /etc/yum/pluginconf.d/rhnplugin.conf",
onlyif => "[ -e /etc/yum/pluginconf.d/rhnplugin.conf ] && grep -q 'enabled = 1' /etc/yum/pluginconf.d/rhnplugin.conf",
command => "perl -pe 's/enabled = 1/enabled = 0/' -i /etc/yum/pluginconf.d/rhnplugin.conf",
onlyif => "[ -e /etc/yum/pluginconf.d/rhnplugin.conf ] && grep -q 'enabled = 1' /etc/yum/pluginconf.d/rhnplugin.conf",
}
# enable yum plugins in general
exec { 'enable yum plugins':
command => "perl -pe 's/plugins=0/plugins=1/' -i /etc/yum.conf",
onlyif => "grep -q 'plugins=0' /etc/yum.conf",
require => Exec['disable yum rhn plugin'],
command => "perl -pe 's/plugins=0/plugins=1/' -i /etc/yum.conf",
onlyif => "grep -q 'plugins=0' /etc/yum.conf",
require => Exec['disable yum rhn plugin'],
}
}
}
# only RHEL4 and RHEL5 use rpmpkgs log
case $::lsbmajdistrelease {
'4','5': {
file {
# rotate /var/log/rpmpkgs weekly
'/etc/newsyslog.weekly/rpmpkgs':
source => 'puppet:///modules/base/rpm/etc/newsyslog.weekly/rpmpkgs',
require => Package['newsyslog'];
}
if ($::lsbmajdistrelease == '4' or $::lsbmajdistrelease == '5') {
# rotate /var/log/rpmpkgs weekly
file { '/etc/newsyslog.weekly/rpmpkgs':
source => 'puppet:///modules/base/rpm/etc/newsyslog.weekly/rpmpkgs',
require => Package['newsyslog'];
}
}
}
default: {
warning('rpm.pp is being applied to a non-RHEL-based operating system')
}
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment