Merge pull request 'neoloc/cobbler_refacter' (#199) from neoloc/cobbler_refacter into develop

Reviewed-on: unkinben/puppet-prod#199

hieradata/common.yaml

@@ -98,6 +98,7 @@ facts_path: '/opt/puppetlabs/facter/facts.d'
 
 hiera_classes:
   - timezone
+  - profiles::selinux::setenforce
 
 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::use_ntp: 'region'

hieradata/roles/infra/cobbler/server.eyaml

@@ -1,2 +1,2 @@
 ---
-profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=]
+profiles::cobbler::params::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=]

hieradata/roles/infra/cobbler/server.yaml

@@ -14,4 +14,5 @@ profiles::packages::install:
 profiles::pki::vault::alt_names:
   - cobbler.main.unkin.net
 
-profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net'
+profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
+profiles::selinux::setenforce::mode: permissive

modules/libs/lib/facter/cobbler_data_dir_exists.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add('cobbler_data_dir_exists') do
+  confine enc_role: 'roles::infra::cobbler::server'
+  setcode do
+    File.exist?('/data/cobbler')
+  end
+end

modules/libs/lib/facter/cobbler_var_www_exists.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add('cobbler_var_www_exists') do
+  confine enc_role: 'roles::infra::cobbler::server'
+  setcode do
+    File.exist?('/var/www/cobbler')
+  end
+end

modules/libs/lib/facter/cobbler_var_www_islink.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add('cobbler_var_www_islink') do
+  confine enc_role: 'roles::infra::cobbler::server'
+  setcode do
+    File.exist?('/var/www/cobbler') and File.symlink?('/var/www/cobbler')
+  end
+end

site/profiles/manifests/cobbler/config.pp

@@ -0,0 +1,75 @@
+# profiles::cobbler::config
+class profiles::cobbler::config {
+
+  include profiles::cobbler::params
+
+  $default_password_crypted = $profiles::cobbler::params::default_password_crypted
+  $httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate
+  $httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey
+  $pxe_just_once = $profiles::cobbler::params::pxe_just_once
+  $service_cname = $profiles::cobbler::params::service_cname
+  $next_server = $profiles::cobbler::params::next_server
+  $server = $profiles::cobbler::params::server
+
+  # manage the cobbler settings file
+  file { '/etc/cobbler/settings.yaml':
+    ensure  => 'file',
+    content => template('profiles/cobbler/settings.yaml.erb'),
+    group   => 'apache',
+    owner   => 'root',
+    mode    => '0640',
+    require => Package['cobbler'],
+    notify  => Service['cobblerd'],
+  }
+
+  # manage the debmirror config to meet cobbler requirements
+  file { '/etc/debmirror.conf':
+    ensure  => 'file',
+    content => template('profiles/cobbler/debmirror.conf.erb'),
+    group   => 'root',
+    owner   => 'root',
+    mode    => '0644',
+    require => Package['debmirror'],
+  }
+
+  # manage the httpd ssl configuration
+  file { '/etc/httpd/conf.d/ssl.conf':
+    ensure  => 'file',
+    content => template('profiles/cobbler/httpd_ssl.conf.erb'),
+    group   => 'root',
+    owner   => 'root',
+    mode    => '0644',
+    require => Package['httpd'],
+    notify  => Service['httpd'],
+  }
+
+  # fix permissions in /var/lib/cobbler/web.ss
+  file {'/var/lib/cobbler/web.ss':
+    ensure  => 'file',
+    group   => 'root',
+    owner   => 'apache',
+    mode    => '0660',
+    require => Package['cobbler'],
+    notify  => Service['cobblerd'],
+  }
+
+  # manage the main ipxe menu script
+  file { '/var/lib/tftpboot/main.ipxe':
+    ensure  => 'file',
+    content => template('profiles/cobbler/main.ipxe.erb'),
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Package['cobbler'],
+  }
+
+  # export cnames for cobbler
+  #profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
+  #  value  => $::facts['networking']['hostname'],
+  #  type   => 'CNAME',
+  #  record => "${service_cname}.",
+  #  zone   => $::facts['networking']['domain'],
+  #  order  => 10,
+  #}
+
+}

site/profiles/manifests/cobbler/init.pp

@@ -0,0 +1,17 @@
+# profiles::cobbler::init
+class profiles::cobbler::init (
+) {
+  # wait for enc_role to be populated, needed for hieradata to match
+  if $facts['enc_role'] == 'roles::infra::cobbler::server' {
+    include profiles::cobbler::config
+    include profiles::cobbler::install
+    include profiles::cobbler::ipxebins
+    include profiles::cobbler::selinux
+    include profiles::cobbler::service
+
+    Class['profiles::cobbler::install']
+    -> Class['profiles::cobbler::config']
+    -> Class['profiles::cobbler::ipxebins']
+    -> Class['profiles::cobbler::selinux']
+  }
+}

site/profiles/manifests/cobbler/install.pp

@@ -0,0 +1,34 @@
+# profiles::cobbler::install
+class profiles::cobbler::install {
+
+  include profiles::cobbler::params
+
+  $packages = $profiles::cobbler::params::packages
+
+  ensure_packages($packages, { ensure => 'present' })
+
+  # move the /var/www/cobbler directory to /data/cobbler
+  if ! $facts['cobbler_var_www_islink'] and ! $facts['cobbler_data_exists'] {
+    exec {'move_cobbler_data':
+      command => 'mv /var/www/cobbler /data/cobbler',
+      onlyif  => 'test -d /var/www/cobbler',
+      path    => ['/bin', '/usr/bin'],
+      before  => Service['cobblerd'],
+    }
+    file { '/var/www/cobbler':
+      ensure  => 'link',
+      target  => '/data/cobbler',
+      require => Exec['move_cobbler_data'],
+      before  => Service['httpd'],
+      notify  => Service['httpd'],
+    }
+  }
+  if ! $facts['cobbler_var_www_exists'] and $facts['cobbler_data_exists'] {
+    file { '/var/www/cobbler':
+      ensure => 'link',
+      target => '/data/cobbler',
+      before => Service['httpd'],
+      notify => Service['httpd'],
+    }
+  }
+}

site/profiles/manifests/cobbler/ipxebins.pp

@@ -1,6 +1,8 @@
 # profiles::cobbler::ipxebins
 class profiles::cobbler::ipxebins {
 
+  include profiles::cobbler::params
+
   # download the custom undionly.kpxe file
   # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
   exec { 'download_undionly_kpxe':

site/profiles/manifests/cobbler/params.pp

@@ -0,0 +1,24 @@
+# profiles::cobbler::params
+class profiles::cobbler::params (
+  Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
+  Stdlib::Absolutepath $httpd_ssl_privatekey  = '/etc/pki/tls/vault/private.key',
+  Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
+  Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'],
+  String  $default_password_crypted = 'changeme',
+  String  $server        = $::facts['networking']['ip'],
+  String  $next_server   = $::facts['networking']['ip'],
+  Boolean $pxe_just_once = true,
+  Array   $packages = [
+      'cobbler',
+      'cobbler3.2-web',
+      'httpd',
+      'syslinux',
+      'dnf-plugins-core',
+      'debmirror',
+      'pykickstart',
+      'fence-agents',
+      'selinux-policy-devel',
+      'ipxe-bootimgs',
+  ]
+){
+}

site/profiles/manifests/cobbler/selinux.pp

@@ -0,0 +1,48 @@
+# profiles::cobbler::selinux
+class profiles::cobbler::selinux inherits profiles::cobbler::params {
+
+  include profiles::cobbler::params
+
+  $tftpboot_path = $profiles::cobbler::params::tftpboot_path
+
+  # manage selinux requirements for cobbler
+  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+
+    $enable_sebooleans = [
+      'httpd_can_network_connect_cobbler',
+      'httpd_serve_cobbler_files',
+      'cobbler_can_network_connect'
+    ]
+
+    $enable_sebooleans.each |$bool| {
+      selboolean { $bool:
+        value      => on,
+        persistent => true,
+      }
+    }
+
+    selinux::fcontext { $tftpboot_path:
+      ensure   => 'present',
+      seltype  => 'cobbler_var_lib_t',
+      pathspec => "${tftpboot_path}(/.*)?",
+    }
+    selinux::fcontext { '/data/cobbler':
+      ensure   => 'present',
+      seltype  => 'cobbler_var_lib_t',
+      pathspec => '/data/cobbler(/.*)?',
+    }
+
+    exec { "restorecon_${tftpboot_path}":
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => "restorecon -Rv ${tftpboot_path}",
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext[$tftpboot_path],
+    }
+    exec { 'restorecon_/data/cobbler':
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => 'restorecon -Rv /data/cobbler',
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext['/data/cobbler'],
+    }
+  }
+}

site/profiles/manifests/cobbler/server.pp

@@ -1,119 +0,0 @@
-# profiles::cobbler::server
-class profiles::cobbler::server (
-  Stdlib::Fqdn         $service_cname,
-  String               $default_password_crypted,
-  Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
-  Stdlib::Absolutepath $httpd_ssl_privatekey  = '/etc/pki/tls/vault/private.key',
-  Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
-  String               $server        = $::facts['networking']['ip'],
-  String               $next_server   = $::facts['networking']['ip'],
-  Boolean              $pxe_just_once = true,
-) {
-
-  include profiles::cobbler::ipxebins
-
-  # manage the cobbler settings file
-  file { '/etc/cobbler/settings.yaml':
-    ensure  => 'file',
-    content => template('profiles/cobbler/settings.yaml.erb'),
-    group   => 'apache',
-    owner   => 'root',
-    mode    => '0640',
-    require => Package['cobbler'],
-    notify  => Service['cobblerd'],
-  }
-
-  # fix permissions in /var/lib/cobbler/web.ss
-  file {'/var/lib/cobbler/web.ss':
-    ensure  => 'file',
-    group   => 'root',
-    owner   => 'apache',
-    mode    => '0660',
-    require => Package['cobbler'],
-    notify  => Service['cobblerd'],
-  }
-
-  # manage the debmirror config to meet cobbler requirements
-  file { '/etc/debmirror.conf':
-    ensure  => 'file',
-    content => template('profiles/cobbler/debmirror.conf.erb'),
-    group   => 'root',
-    owner   => 'root',
-    mode    => '0644',
-    require => Package['debmirror'],
-  }
-
-  # manage the httpd ssl configuration
-  file { '/etc/httpd/conf.d/ssl.conf':
-    ensure  => 'file',
-    content => template('profiles/cobbler/httpd_ssl.conf.erb'),
-    group   => 'root',
-    owner   => 'root',
-    mode    => '0644',
-    require => Package['httpd'],
-    notify  => Service['httpd'],
-  }
-
-  # manage the main ipxe menu script
-  file { '/var/lib/tftpboot/main.ipxe':
-    ensure  => 'file',
-    content => template('profiles/cobbler/main.ipxe.erb'),
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    require => Package['cobbler'],
-  }
-
-  # ensure cobblerd is running
-  service {'cobblerd':
-    ensure  => 'running',
-    enable  => true,
-    require => File['/etc/cobbler/settings.yaml'],
-  }
-
-  # ensure httpd is running
-  service {'httpd':
-    ensure  => 'running',
-    enable  => true,
-    require => File['/etc/httpd/conf.d/ssl.conf'],
-  }
-
-  # export cnames for cobbler
-  profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
-    value  => $::facts['networking']['hostname'],
-    type   => 'CNAME',
-    record => "${service_cname}.",
-    zone   => $::facts['networking']['domain'],
-    order  => 10,
-  }
-
-  # manage selinux requirements for cobbler
-  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
-
-    $enable_sebooleans = [
-      'httpd_can_network_connect_cobbler',
-      'httpd_serve_cobbler_files',
-      'cobbler_can_network_connect'
-    ]
-
-    $enable_sebooleans.each |$bool| {
-      selboolean { $bool:
-        value      => on,
-        persistent => true,
-      }
-    }
-
-    selinux::fcontext { $tftpboot_path:
-      ensure   => 'present',
-      seltype  => 'cobbler_var_lib_t',
-      pathspec => "${tftpboot_path}(/.*)?",
-    }
-
-    exec { "restorecon_${tftpboot_path}":
-      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
-      command     => "restorecon -Rv ${tftpboot_path}",
-      refreshonly => true,
-      subscribe   => Selinux::Fcontext[$tftpboot_path],
-    }
-  }
-}

site/profiles/manifests/cobbler/service.pp

@@ -0,0 +1,17 @@
+# profiles::cobbler::service
+class profiles::cobbler::service inherits profiles::cobbler::params {
+
+  # ensure cobblerd is running
+  service {'cobblerd':
+    ensure  => 'running',
+    enable  => true,
+    require => File['/etc/cobbler/settings.yaml'],
+  }
+
+  # ensure httpd is running
+  service {'httpd':
+    ensure  => 'running',
+    enable  => true,
+    require => File['/etc/httpd/conf.d/ssl.conf'],
+  }
+}

site/roles/manifests/infra/cobbler/server.pp

@@ -3,5 +3,5 @@ class roles::infra::cobbler::server {
   include profiles::defaults
   include profiles::base
   include profiles::base::datavol
-  include profiles::cobbler::server
+  include profiles::cobbler::init
 }