From 24aea7045b1422e8351870392b5fae0041e1f17d Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Thu, 22 Nov 2012 09:19:59 +0200 Subject: [PATCH 01/12] Added source parameter to python::setup::install --- python/manifests/init.pp | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/python/manifests/init.pp b/python/manifests/init.pp index 238d6b9..db35d90 100644 --- a/python/manifests/init.pp +++ b/python/manifests/init.pp @@ -30,12 +30,37 @@ class python { # Source directory. # $python: # Python executable name. Defaults to python. +# $source: +# Source path to package archive. # # === Sample usage # -# python::setup::install { "/usr/local/src/moin-1.8.8": } +# python::setup::install { "/usr/local/src/moin-1.8.8": +# source => "puppet:///files/packages/moin-1.8.8.tar.gz", +# } # -define python::setup::install($python="python") { +define python::setup::install($python="python", source="") { + + if $source { + $filename = basename($source) + file { "/usr/local/src/${filename}": + ensure => present, + mode => "0644", + owner => "root", + group => $operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + source => $source, + } + util::extract::tar { $name: + ensure => latest, + strip => 1, + source => "/usr/local/src/${filename}", + require => File["/usr/local/src/${filename}"], + before => Exec["python-setup-install-${name}"], + } + } exec { "python-setup-install-${name}": path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin", From 6921abf0cbd8951ac6390626a8f61182b2cea83d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 22 Nov 2012 12:30:52 +0200 Subject: [PATCH 02/12] Added logrotate rules for munin cgi logs. --- munin/manifests/init.pp | 7 +++++++ munin/templates/munin-cgi.logrotate.erb | 17 +++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 munin/templates/munin-cgi.logrotate.erb diff --git a/munin/manifests/init.pp b/munin/manifests/init.pp index 1772eb8..5c13aff 100644 --- a/munin/manifests/init.pp +++ b/munin/manifests/init.pp @@ -269,6 +269,13 @@ class munin::server { group => $apache::sslserver::group, require => Package["munin"], } + file { "/etc/logrotate.d/munin-cgi": + ensure => present, + content => template("munin/munin-cgi.logrotate.erb"), + mode => "0644", + owner => "root", + group => "root", + } file { "/var/www/html/munin/.htaccess": ensure => present, diff --git a/munin/templates/munin-cgi.logrotate.erb b/munin/templates/munin-cgi.logrotate.erb new file mode 100644 index 0000000..63df851 --- /dev/null +++ b/munin/templates/munin-cgi.logrotate.erb @@ -0,0 +1,17 @@ +/var/log/munin/munin-cgi-graph.log { + daily + missingok + rotate 7 + compress + notifempty + create 0664 munin <%= scope.lookupvar('apache::sslserver::group') %> +} + +/var/log/munin/munin-cgi-html.log { + daily + missingok + rotate 7 + compress + notifempty + create 0664 munin <%= scope.lookupvar('apache::sslserver::group') %> +} From 8b75fc924ea46c07090138124fb7c2f22c375843 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 22 Nov 2012 11:19:04 +0000 Subject: [PATCH 03/12] Router Advertisement daemon support for CentOS/RHEL and OpenBSD. --- network/manifests/init.pp | 93 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/network/manifests/init.pp b/network/manifests/init.pp index cccd67a..57fd00f 100644 --- a/network/manifests/init.pp +++ b/network/manifests/init.pp @@ -567,3 +567,96 @@ class network::manager::disable { } } + +# Define IPv6 prefixes for advertisement +# +# === Sample usage +# +# network::ipv6prefix { "em1": +# prefix => "2001:db8:c0de:cafe::/64" +# } +define network::ipv6prefix($prefix = "", $description = "") { + case $::operatingsystem { + "centos","redhat": { + file { "/etc/radvd.conf.d": + ensure => directory, + } + + file { "/etc/radvd.conf.d/radvd-${name}.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + content => template("network/radvd.conf.erb"), + require => File["/etc/radvd.conf.d"], + notify => Exec["generate-radvd-conf"], + } + } + "openbsd": { + file { "/etc/rtadvd.conf.d": + ensure => directory, + } + + file { "/etc/rtadvd.conf.d/rtadvd-${name}.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "wheel", + content => template("network/rtadvd.conf.erb"), + before => Service["rtadvd-${name}"], + notify => Service["rtadvd-${name}"], + } + + service { "rtadvd-${name}": + ensure => running, + enable => true, + start => "/usr/sbin/rtadvd -c /etc/rtadvd.conf.d/rtadvd-${name}.conf ${name}", + stop => "/usr/bin/pkill -f \"^/usr/sbin/rtadvd -c [^ ]+ ${name}\$\"", + status => "/usr/bin/pgrep -f \"^/usr/sbin/rtadvd -c [^ ]+ ${name}\$\"", + } + } + default: { + fail("Router advertisement not supported in $::operatingsystem.") + } + } +} + +# Router Advertisement daemon +# +class network::routeradvertisement { + case $::operatingsystem { + "centos","redhat": { + package { "radvd": + ensure => installed, + } + + service { "radvd": + ensure => running, + enable => true, + hasstatus => true, + require => [File["/etc/radvd.conf"], Package["radvd"]], + } + + file { "/etc/radvd.conf": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + require => Exec["generate-radvd-conf"], + notify => Service["radvd"], + } + + exec { "generate-radvd-conf": + command => "/bin/cat /etc/radvd.conf.d/radvd-*.conf >/etc/radvd.conf", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + refreshonly => true, + } + } + "openbsd": { + # Only network::ipv6network is needed for OpenBSD + } + default: { + fail("Router advertisement not supported in $::operatingsystem") + } + } +} From f03286e5e31f2be014804957ee1ace9409b59165 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 22 Nov 2012 11:21:50 +0000 Subject: [PATCH 04/12] Add templates for radvd.conf (Centos/RHEL) and rtadvd.conf (OpenBSD). --- network/templates/radvd.conf.erb | 16 ++++++++++++++++ network/templates/rtadvd.conf.erb | 4 ++++ 2 files changed, 20 insertions(+) create mode 100644 network/templates/radvd.conf.erb create mode 100644 network/templates/rtadvd.conf.erb diff --git a/network/templates/radvd.conf.erb b/network/templates/radvd.conf.erb new file mode 100644 index 0000000..d1dca27 --- /dev/null +++ b/network/templates/radvd.conf.erb @@ -0,0 +1,16 @@ + +# <%= description %> +interface <%= name %> +{ + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 10; + AdvHomeAgentFlag off; + + prefix <%= prefix %> + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; +}; diff --git a/network/templates/rtadvd.conf.erb b/network/templates/rtadvd.conf.erb new file mode 100644 index 0000000..2d37a4d --- /dev/null +++ b/network/templates/rtadvd.conf.erb @@ -0,0 +1,4 @@ + +# <%= description %> +<%= name %>:\ + :addr="<%= prefix.split("/").first %>":":prefixlen#<%= prefix.split("/").last %>: From 694ff90e5243f2a2f95815f2f1c0715845a3e0e6 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 22 Nov 2012 11:48:16 +0000 Subject: [PATCH 05/12] Rename network::ipv6prefix define to network::routeradvertisement::ipv6prefix. --- network/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/manifests/init.pp b/network/manifests/init.pp index 57fd00f..5a06842 100644 --- a/network/manifests/init.pp +++ b/network/manifests/init.pp @@ -572,10 +572,10 @@ class network::manager::disable { # # === Sample usage # -# network::ipv6prefix { "em1": +# network::routeradvertisement::ipv6prefix { "em1": # prefix => "2001:db8:c0de:cafe::/64" # } -define network::ipv6prefix($prefix = "", $description = "") { +define network::routeradvertisement::ipv6prefix($prefix = "", $description = "") { case $::operatingsystem { "centos","redhat": { file { "/etc/radvd.conf.d": From cd91e65ab2ca8c0fbc09b051e338ed87cf040c95 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 22 Nov 2012 13:44:27 +0000 Subject: [PATCH 06/12] Fix too widely open regexp targeting SSL/TLS settings of Microsoft Internet Explorer. See rant: http://newestindustry.org/2007/06/06/dear-apache-software-foundation-fix-the-msie-ssl-keepalive-settings/ This is also ack'ed by Apache and fixed in their httpd's trunk: https://issues.apache.org/bugzilla/show_bug.cgi?id=49484 http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?view=markup --- apache/templates/site.https.conf.erb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb index 30e9982..14f55be 100644 --- a/apache/templates/site.https.conf.erb +++ b/apache/templates/site.https.conf.erb @@ -138,9 +138,10 @@ SSLCertificateChainFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a From 250819a34e9bc3a4ae0485ccf8feb22bf493c207 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 22 Nov 2012 14:35:01 +0000 Subject: [PATCH 07/12] Add priority high (:raflags#8:) for rtadvd.conf. --- network/templates/rtadvd.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/templates/rtadvd.conf.erb b/network/templates/rtadvd.conf.erb index 2d37a4d..b65f119 100644 --- a/network/templates/rtadvd.conf.erb +++ b/network/templates/rtadvd.conf.erb @@ -1,4 +1,4 @@ # <%= description %> <%= name %>:\ - :addr="<%= prefix.split("/").first %>":":prefixlen#<%= prefix.split("/").last %>: + :addr="<%= prefix.split("/").first %>":":prefixlen#<%= prefix.split("/").last %>:raflags#8: From ceaea468005aa51bfa221822572a647c848a0a17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Fri, 23 Nov 2012 10:46:12 +0200 Subject: [PATCH 08/12] Fixed /etc/printcap nag from OpenBSD when using cups::client. --- cups/manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cups/manifests/init.pp b/cups/manifests/init.pp index 7cdd606..f72e8b3 100644 --- a/cups/manifests/init.pp +++ b/cups/manifests/init.pp @@ -31,6 +31,14 @@ class cups::client { creates => "/usr/bin/lpr.pre-cups", require => Package["cups"], } + file { "/etc/printcap": + ensure => present, + source => "/etc/cups/printcap", + mode => "0644", + owner => "root", + group => "wheel", + require => Exec["cups-enable"], + } } } From 15a3dacdecfd9c8e0e627ba9b65e4102dd3a19f5 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Wed, 28 Nov 2012 09:56:48 +0000 Subject: [PATCH 09/12] Allow using autogenerated db zonefiles (static and dynamic) without homename in filename. --- dns/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index fda2a08..ba4051e 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -395,6 +395,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], ensure => present, source => [ "puppet:///files/dns/db.${zone}-dynamic.${homename}", + "puppet:///files/dns/db.${zone}-dynamic", "puppet:///modules/dns/empty", ], mode => "0640", @@ -410,6 +411,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], ensure => present, source => [ "puppet:///files/dns/db.${zone}-static.${homename}", + "puppet:///files/dns/db.${zone}-static", "puppet:///modules/dns/empty", ], mode => "0640", From 954955bd39fdca13cbb6be7f580b78d2078af895 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 29 Nov 2012 14:13:28 +0000 Subject: [PATCH 10/12] Perform named-checkconf before reloading named. This tries to minimize the risk of reloading broken config or invalid zone files, and kill our DNS infrastructure while doing so. --- dns/manifests/init.pp | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index ba4051e..7a6a87e 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -107,6 +107,16 @@ class dns::server { } } + exec { "named-checkconf": + command => $chroot ? { + "" => "/usr/sbin/named-checkconf -z", + default => "/usr/sbin/named-checkconf -z -t ${chroot}" + }, + refreshonly => true, + subscribe => File["named.conf"], + notify => Service["named"], + } + service { "named": name => $::operatingsystem ? { "ubuntu" => "bind9", @@ -155,7 +165,7 @@ class dns::server { user => "root", refreshonly => true, require => File["/usr/local/sbin/generate-named-conf.sh"], - notify => Service["named"], + notify => Exec["named-checkconf"], } file { "${chroot}${confdir}/named.conf.options": @@ -170,7 +180,7 @@ class dns::server { "openbsd" => undef, default => Package["bind"], }, - notify => Service["named"], + notify => Exec["named-checkconf"] } file { "${chroot}${confdir}/named.conf.local": @@ -185,7 +195,7 @@ class dns::server { "openbsd" => undef, default => Package["bind"], }, - notify => Service["named"], + notify => Exec["named-checkconf"] } } @@ -225,7 +235,7 @@ class dns::server::ldap inherits dns::server { command => "dnsdump.py --notest /var/named/master.in /var/named/master", require => File["/usr/local/sbin/dnsdump.py"], unless => "dnsdump.py --test /var/named/master.in /var/named/master", - notify => Service["named"] + notify => Exec["named-checkconf"], } } @@ -389,7 +399,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], "openbsd" => undef, default => Package["bind"], }, - notify => Service["named"], + notify => Exec["named-checkconf"], } file { "${dns::server::chroot}${zonedir}/db.${zone}-dynamic": ensure => present, @@ -405,7 +415,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], "openbsd" => undef, default => Package["bind"], }, - notify => Service["named"], + notify => Exec["named-checkconf"], } file { "${dns::server::chroot}${zonedir}/db.${zone}-static": ensure => present, @@ -421,7 +431,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [], "openbsd" => undef, default => Package["bind"], }, - notify => Service["named"], + notify => Exec["named-checkconf"], } } } @@ -468,5 +478,4 @@ class dns::nsupdate { minute => "*/5", require => File["/usr/local/sbin/nsupdate.sh"], } - } From 3edd0c4f39ad4f211df4810a80bc403034845cf9 Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Thu, 29 Nov 2012 14:21:39 +0000 Subject: [PATCH 11/12] Add missing commas before anyone wonders why they are missing.. ;) --- dns/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index 7a6a87e..1f0a23f 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -180,7 +180,7 @@ class dns::server { "openbsd" => undef, default => Package["bind"], }, - notify => Exec["named-checkconf"] + notify => Exec["named-checkconf"], } file { "${chroot}${confdir}/named.conf.local": @@ -195,7 +195,7 @@ class dns::server { "openbsd" => undef, default => Package["bind"], }, - notify => Exec["named-checkconf"] + notify => Exec["named-checkconf"], } } From 42ebc910ccb32256fb230d63e72a2a1d2f6b3f9a Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Fri, 30 Nov 2012 08:05:43 +0000 Subject: [PATCH 12/12] Require rndc config generation before checkconf and remove unneccessary subscribe to named.conf. --- dns/manifests/init.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp index 1f0a23f..5ad817b 100644 --- a/dns/manifests/init.pp +++ b/dns/manifests/init.pp @@ -113,7 +113,7 @@ class dns::server { default => "/usr/sbin/named-checkconf -z -t ${chroot}" }, refreshonly => true, - subscribe => File["named.conf"], + require => Exec["rndc-confgen"], notify => Service["named"], } @@ -133,7 +133,6 @@ class dns::server { "openbsd" => "/usr/sbin/named", default => undef, }, - require => Exec["rndc-confgen"], } file { "named.conf":