aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/vserver.pp170
1 files changed, 117 insertions, 53 deletions
diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index 11068b6..acd29f0 100644
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -56,53 +56,70 @@ class vserver::host {
"/etc/modprobe.d/local-dummy":
ensure => absent,
mode => 0644, owner => root, group => root;
-
- "/usr/local/share/munin-plugins/vserver_resources":
- source => "puppet://$server/modules/virtual/munin/vserver_resources",
- mode => 0755, owner => root, group => root;
-
- "/usr/local/share/munin-plugins/vserver_cpu_":
- source => "puppet://$server/modules/virtual/munin/vserver_cpu_",
- mode => 0755, owner => root, group => root;
-
- "/usr/local/share/munin-plugins/vserver_loadavg":
- source => "puppet://$server/modules/virtual/munin/vserver_loadavg",
- mode => 0755, owner => root, group => root;
- }
-
- # This creates a load average graph combining the individual load averages of each vserver on the host
- munin::plugin {
- "vserver_loadavg":
- config => "user root\n",
- script_path_in => "/usr/local/share/munin-plugins";
- }
-
- # This creates a RSS graph for each vserver on the host (note after more than 4 vservers this can get noisy)
- munin::plugin {
- "vserver_resources_RSS":
- ensure => "vserver_resources",
- config => "user root\nenv.resource RSS",
- script_path_in => "/usr/local/share/munin-plugins";
- }
-
- # This creates a VM graph for each vserver on the host (note after more than 4 vservers this can get noisy)
- munin::plugin {
- "vserver_resources_VM":
- ensure => "vserver_resources",
- config => "user root\nenv.resource VM",
- script_path_in => "/usr/local/share/munin-plugins";
+<<<<<<< HEAD:manifests/vserver.pp
+ }
+
+ # Setup some plugins if munin is enabled in the system
+ case $munin_cidr_allow {
+ '': {}
+ default: {
+ file {
+ "/usr/local/share/munin-plugins/vserver_resources":
+ source => "puppet://$server/modules/virtual/munin/vserver_resources",
+ mode => 0755, owner => root, group => root;
+
+ "/usr/local/share/munin-plugins/vserver_cpu_":
+ source => "puppet://$server/modules/virtual/munin/vserver_cpu_",
+ mode => 0755, owner => root, group => root;
+
+ "/usr/local/share/munin-plugins/vserver_loadavg":
+ source => "puppet://$server/modules/virtual/munin/vserver_loadavg",
+ mode => 0755, owner => root, group => root;
+ }
+ }
}
- # This creates a VM graph for each vserver on the host (note after more than 4 vservers this can get noisy)
- munin::plugin {
- "vserver_cpu_":
- config => "user root\n",
- script_path_in => "/usr/local/share/munin-plugins";
+ # Setup some plugins if munin is enabled in the system
+ case $munin_cidr_allow {
+ '': {}
+ default: {
+ # This creates a load average graph combining the individual load averages of each vserver on the host
+ munin::plugin {
+ "vserver_loadavg":
+ config => "user root\n",
+ script_path_in => "/usr/local/share/munin-plugins";
+ }
+
+ # This creates a RSS graph for each vserver on the host (note after more than 4 vservers this can get noisy)
+ munin::plugin {
+ "vserver_resources_RSS":
+ ensure => "vserver_resources",
+ config => "user root\nenv.resource RSS",
+ script_path_in => "/usr/local/share/munin-plugins";
+ }
+
+ # This creates a VM graph for each vserver on the host (note after more than 4 vservers this can get noisy)
+ munin::plugin {
+ "vserver_resources_VM":
+ ensure => "vserver_resources",
+ config => "user root\nenv.resource VM",
+ script_path_in => "/usr/local/share/munin-plugins";
+ }
+
+ # This creates a VM graph for each vserver on the host (note after more than 4 vservers this can get noisy)
+ munin::plugin {
+ "vserver_cpu_":
+ config => "user root\n",
+ script_path_in => "/usr/local/share/munin-plugins";
+ }
+ }
}
-}
-define vs_create($in_domain, $context, $legacy = false, $distro = 'etch', $debootstrap_mirror = 'http://ftp.debian.org/debian') {
- $vs_name = $legacy ? { true => $name, false => $in_domain ? { '' => $name, default => "${name}.${in_domain}" } }
+define vs_create($in_domain, $context, $legacy = false, $distro = 'etch',
+ $debootstrap_mirror = 'http://ftp.debian.org/debian', $hostname = false, $interface = false) {
+ $vs_name = $legacy ? { true => $name, false => $in_domain ? { '' => $name, default => "${name}.${in_domain}" } }
+ $vs_hostname = $hostname ? { false => 'none', default => $hostname }
+ $vs_interface = $interface ? { false => 'none', default => $interface }
case $vs_name { '': { fail ( "Cannot create VServer with empty name" ) } }
@@ -114,7 +131,7 @@ define vs_create($in_domain, $context, $legacy = false, $distro = 'etch', $deboo
}
}
false: {
- exec { "/usr/local/bin/build_vserver \"${vs_name}\" ${context} ${distro} ${debootstrap_mirror}":
+ exec { "/usr/local/bin/build_vserver \"${vs_name}\" ${context} ${distro} ${debootstrap_mirror} ${vs_hostname} ${interface}":
creates => "/etc/vservers/${vs_name}",
require => File["/usr/local/bin/build_vserver"],
alias => "vs_create_${vs_name}"
@@ -124,7 +141,8 @@ define vs_create($in_domain, $context, $legacy = false, $distro = 'etch', $deboo
}
# ensure: present, stopped, running
-define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false, $distro = 'etch') {
+define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false, $distro = 'etch',
+ $hostname = false, $interface = false) {
case $in_domain { '': {}
default: { err("${fqdn}: vserver ${name} uses deprecated \$in_domain" ) }
}
@@ -133,21 +151,60 @@ define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false,
case $vs_name { '': { fail ( "Cannot create VServer with empty name" ) } }
- $if_dir = "/etc/vservers/${vs_name}/interfaces"
+ $nodename = $hostname ? { false => $vs_name, default => $hostname }
+ $if_dir = "/etc/vservers/${vs_name}/interfaces"
$mark_file = "/etc/vservers/${vs_name}/apps/init/mark"
# TODO: wasn't there a syntax for using arrays as case selectors??
case $ensure {
- present: { vs_create{$name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, } }
- running: { vs_create{$name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, } }
- stopped: { vs_create{$name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, } }
- delete: { vs_create{$name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, } }
- default: { err("${fqdn}: vserver(${vs_name}): unknown ensure '${ensure}'") }
+ present: {
+ vs_create{ $name:
+ in_domain => $in_domain,
+ context => $context,
+ legacy => $legacy,
+ distro => $distro,
+ hostname => $hostname,
+ interface => $interface,
+ }
+ }
+ running: {
+ vs_create{ $name:
+ in_domain => $in_domain,
+ context => $context,
+ legacy => $legacy,
+ distro => $distro,
+ hostname => $hostname,
+ interface => $interface,
+ }
+ }
+ stopped: {
+ vs_create{ $name:
+ in_domain => $in_domain,
+ context => $context,
+ legacy => $legacy,
+ distro => $distro,
+ hostname => $hostname,
+ interface => $interface,
+ }
+ }
+ delete: {
+ vs_create{ $name:
+ in_domain => $in_domain,
+ context => $context,
+ legacy => $legacy,
+ distro => $distro,
+ hostname => $hostname,
+ interface => $interface,
+ }
+ }
+ default: {
+ err("${fqdn}: vserver(${vs_name}): unknown ensure '${ensure}'")
+ }
}
file {
$if_dir:
- ensure => directory, checksum => mtime,
+ ensure => directory, checksum => mtime,
require => Exec["vs_create_${vs_name}"];
}
@@ -161,7 +218,7 @@ define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false,
"/var/lib/puppet/modules/virtual/contexts/${context}":
content => "\n";
"/etc/vservers/${vs_name}/uts/nodename":
- content => "${vs_name}\n",
+ content => "${nodename}\n",
notify => Exec["vs_restart_${vs_name}"],
require => Exec["vs_create_${vs_name}"];
"/etc/vservers/${vs_name}/name":
@@ -169,6 +226,13 @@ define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false,
require => Exec["vs_create_${vs_name}"];
}
+ # ensure a secure chroot barrier
+ # we have to do it for each vserver, see
+ # http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier
+ exec { "setattr --barrier /etc/vservers/${vs_name}/vdir/../":
+ unless => "showattr /etc/vservers/${vs_name}/vdir/../ | grep -- '----Bui- /etc/vservers/${vs_name}/vdir/../$'"
+ }
+
case $ensure {
present: {
# don't start or stop the vserver, just make sure it exists, we just run a dummy status test here
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-01 12:47:28 +0000