# virtual/vserver.pp -- manage vserver specifics # Copyright (C) 2007 David Schmitt # See LICENSE for the full license granted to you. module_dir{ "virtual/contexts": } class vserver::host { # make sure we have the ability to query for lsbdistcodename include assert_lsbdistcodename $utilvserver_version = $lsbdistcodename ? { etch => "0.30.216~r2772-6~bpo40+1", lenny => latest, default => latest, } case $vserver_vdirbase { '': { $vserver_vdirbase = "/var/lib/vservers" } } package { "util-vserver": ensure => $utilvserver_version; debootstrap: ensure => installed } file { "/etc/vservers": ensure => directory, require => Package["util-vserver"]; "/etc/vservers/local-interfaces": ensure => directory, mode => 0755, owner => root, group => root, require => File["/etc/vservers"]; "/usr/local/bin/build_vserver": source => "puppet://$server/modules/virtual/vserver/build_vserver", mode => 0755, owner => root, group => root, require => [ Package['util-vserver'], Package[debootstrap]]; "/etc/vservers/.defaults/vdirbase": ensure => $vserver_vdirbase, require => File[$vserver_vdirbase]; "$vserver_vdirbase": ensure => directory, mode => 000, owner => root, group => root; # perhaps we should use hashify. # but i'm commenting this out until we learn how to properly use in case we want to use it. #"/etc/cron.daily/vserver-hashify": # source => "puppet://$server/virtual/hashify.cron.daily", # mode => 0755, owner => root, group => root; } # remove dummy interfaces on the host delete_lines { modules_dummy: file => "/etc/modules", pattern => "^dummy", } # Remove these dummy interfaces, they are annoying and we dont need them file { "/etc/modprobe.d/local-dummy": ensure => absent, mode => 0644, owner => root, group => root; } # Setup some plugins if munin is enabled in the system case $virtual_munin { false: {} default: { file { "/usr/local/share/munin-plugins/vserver_resources": source => "puppet://$server/modules/virtual/munin/vserver_resources", mode => 0755, owner => root, group => root; "/usr/local/share/munin-plugins/vserver_cpu_": source => "puppet://$server/modules/virtual/munin/vserver_cpu_", mode => 0755, owner => root, group => root; "/usr/local/share/munin-plugins/vserver_loadavg": source => "puppet://$server/modules/virtual/munin/vserver_loadavg", mode => 0755, owner => root, group => root; } } } # Setup some plugins if munin is enabled in the system case $virtual_munin { false: {} default: { # This creates a load average graph combining the individual load averages of each vserver on the host munin::plugin { "vserver_loadavg": config => "user root\n", script_path_in => "/usr/local/share/munin-plugins"; } # This creates a RSS graph for each vserver on the host (note after more than 4 vservers this can get noisy) munin::plugin { "vserver_resources_RSS": ensure => "vserver_resources", config => "user root\nenv.resource RSS", script_path_in => "/usr/local/share/munin-plugins"; } # This creates a VM graph for each vserver on the host (note after more than 4 vservers this can get noisy) munin::plugin { "vserver_resources_VM": ensure => "vserver_resources", config => "user root\nenv.resource VM", script_path_in => "/usr/local/share/munin-plugins"; } # This creates a VM graph for each vserver on the host (note after more than 4 vservers this can get noisy) munin::plugin { "vserver_cpu_": config => "user root\n", script_path_in => "/usr/local/share/munin-plugins"; } } } } define vs_create($in_domain, $context, $legacy = false, $distro = 'etch', $debootstrap_mirror = 'http://ftp.debian.org/debian', $hostname = false, $interface = false, $memory_limit = false) { $vs_name = $legacy ? { true => $name, false => $in_domain ? { '' => $name, default => "${name}.${in_domain}" } } $vs_hostname = $hostname ? { false => 'none', default => $hostname } $vs_interface = $interface ? { false => 'none', default => $interface } case $vs_name { '': { fail ( "Cannot create VServer with empty name" ) } } case $legacy { true: { exec { "/bin/false # cannot create legacy vserver ${vs_name}": creates => "/etc/vservers/${vs_name}", alias => "vs_create_${vs_name}" } } false: { exec { "/usr/local/bin/build_vserver \"${vs_name}\" ${context} ${distro} ${debootstrap_mirror} ${vs_hostname} ${vs_interface} ${memory_limit}": creates => "/etc/vservers/${vs_name}", require => File["/usr/local/bin/build_vserver","/etc/vservers/.defaults/vdirbase"], alias => "vs_create_${vs_name}", timeout => "-1", } } } case $memory_limit { false: { } default: { file { "/etc/vservers/${vs_name}/rlimits": ensure => directory, mode => 0755, owner => root, group => root, require => Exec["vs_create_${vs_name}"], } file { "/etc/vservers/${vs_name}/rlimits/rss.hard": mode => 0644, owner => root, group => root, content => template("virtual/rss.hard.erb"), require => File["/etc/vservers/${vs_name}/rlimits"], } file { "/etc/vservers/${vs_name}/rlimits/rss.soft": mode => 0644, owner => root, group => root, content => template("virtual/rss.soft.erb"), require => File["/etc/vservers/${vs_name}/rlimits"], } file { "/etc/vservers/${vs_name}/flags": mode => 0644, owner => root, group => root, content => template("virtual/flags.erb"), require => Exec["vs_create_${vs_name}"], } } } } # ensure: present, stopped, running define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false, $distro = 'etch', $hostname = false, $interface = false, $memory_limit = false) { case $in_domain { '': {} default: { err("${fqdn}: vserver ${name} uses deprecated \$in_domain" ) } } $vs_name = $legacy ? { true => $name, false => $in_domain ? { '' => $name, default => "${name}.${in_domain}" } } case $vs_name { '': { fail ( "Cannot create VServer with empty name" ) } } $nodename = $hostname ? { false => $vs_name, default => $hostname } $if_dir = "/etc/vservers/${vs_name}/interfaces" $mark_file = "/etc/vservers/${vs_name}/apps/init/mark" # TODO: wasn't there a syntax for using arrays as case selectors?? case $ensure { present: { vs_create{ $name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, hostname => $hostname, interface => $interface, memory_limit => $memory_limit, } } running: { vs_create{ $name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, hostname => $hostname, interface => $interface, memory_limit => $memory_limit, } } stopped: { vs_create{ $name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, hostname => $hostname, interface => $interface, memory_limit => $memory_limit, } } delete: { vs_create{ $name: in_domain => $in_domain, context => $context, legacy => $legacy, distro => $distro, hostname => $hostname, interface => $interface, memory_limit => $memory_limit, } } default: { err("${fqdn}: vserver(${vs_name}): unknown ensure '${ensure}'") } } file { $if_dir: ensure => directory, checksum => mtime, require => Exec["vs_create_${vs_name}"]; } config_file { "/etc/vservers/${vs_name}/context": content => "${context}\n", notify => Exec["vs_restart_${vs_name}"], require => Exec["vs_create_${vs_name}"]; # create illegal configuration, when two vservers have the same context # number "/var/lib/puppet/modules/virtual/contexts/${context}": content => "\n"; "/etc/vservers/${vs_name}/uts/nodename": content => "${nodename}\n", notify => Exec["vs_restart_${vs_name}"], require => Exec["vs_create_${vs_name}"]; "/etc/vservers/${vs_name}/name": content => "${vs_name}\n", require => Exec["vs_create_${vs_name}"]; } # ensure a secure chroot barrier # we have to do it for each vserver, see # http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier exec { "setattr --barrier /etc/vservers/${vs_name}/vdir/../": unless => "showattr /etc/vservers/${vs_name}/vdir/../ | grep -- '----Bui- /etc/vservers/${vs_name}/vdir/../$'", require => Exec["vs_create_${vs_name}"], } case $ensure { present: { # don't start or stop the vserver, just make sure it exists, we just run a dummy status test here exec { "test -e \$(readlink -f /etc/vservers/${vs_name}/vdir)": require => Exec["vs_create_${vs_name}"], alias => "vs_restart_${vs_name}", } } stopped: { exec { "vserver ${vs_name} stop": onlyif => "test -e \$(readlink -f /etc/vservers/${vs_name}/run || echo /doesntexist )", require => Exec["vs_create_${vs_name}"], # fake the restart exec in the stopped case, so the dependencies are fulfilled alias => "vs_restart_${vs_name}", } file { $mark_file: ensure => absent, } } delete: { exec { "/usr/bin/yes | vserver ${vs_name} delete": alias => "vs_restart_${vs_name}", } } running: { exec { "vserver ${vs_name} start": unless => "test -e \$(readlink -f /etc/vservers/${vs_name}/run)", require => [ Exec["vs_create_${vs_name}"], File["/etc/vservers/${vs_name}/context"] ] } exec { "vserver ${vs_name} restart": refreshonly => true, require => Exec["vs_create_${vs_name}"], alias => "vs_restart_${vs_name}", subscribe => File[$if_dir], } case $mark { '': { err("${fqdn}: vserver ${vs_name} set to running, but won't be started on reboot without mark!") file { $mark_file: ensure => absent, } } default: { config_file { "/etc/vservers/${vs_name}/apps/init/mark": content => "${mark}\n", require => Exec["vs_create_${vs_name}"], } } } } } } # Changing stuff with this define won't do much good, since it relies on # restarting the vservers to do the work, which won't clean up orphaned # interfaces define vs_interface($prefix = 24, $dev = '') { file { "/etc/vservers/local-interfaces/${name}": ensure => directory, mode => 0755, owner => root, group => root; "/etc/vservers/local-interfaces/${name}/ip": content => "${name}\n", mode => 0644, owner => root, group => root; "/etc/vservers/local-interfaces/${name}/prefix": content => "${prefix}\n", mode => 0644, owner => root, group => root; } case $dev { '': { file { "/etc/vservers/local-interfaces/${name}/nodev": ensure => present, mode => 0644, owner => root, group => root; "/etc/vservers/local-interfaces/${name}/dev": ensure => absent; } } default: { config_file { "/etc/vservers/local-interfaces/${name}/dev": content => $dev, } file { "/etc/vservers/local-interfaces/${name}/nodev": ensure => absent, } } } } define vs_ip($vserver, $ip, $ensure) { err("$fqdn is using deprecated vs_ip instead of vs_ip_binding for $name") vs_ip_binding { $name: vserver => $vserver, ip => $ip, ensure => $ensure } } define vs_ip_binding($vserver, $ip, $ensure) { case $ensure { connected: { file { "/etc/vservers/${vserver}/interfaces/${name}": ensure => "/etc/vservers/local-interfaces/${ip}/", require => [ File["/etc/vservers/local-interfaces/${ip}"], Exec["vs_create_${vserver}"] ], notify => Exec["vs_restart_${vserver}"], } } disconnected: { file { "/etc/vservers/${vserver}/interfaces/${name}": ensure => absent, } } default: { err( "${fqdn}: vs_ip: ${vserver} -> ${ip}: unknown ensure: '${ensure}'" ) } } } define vs_sched($ensure = present, $fill_rate = '', $fill_rate2 = '', $interval = '', $interval2 = '', $tokens_min = '', $tokens_max = '', $tokens = '', $idle_time = false, $priority_bias = '') { file { "/etc/vservers/${name}/sched/fill-rate": ensure => $ensure, content => "$fill_rate\n", } file { "/etc/vservers/${name}/sched/fill-rate2": ensure => $ensure, content => "$fill_rate2\n", } file { "/etc/vservers/${name}/sched/interval": ensure => $ensure, content => "$interval\n", } file { "/etc/vservers/${name}/sched/interval2": ensure => $ensure, content => "$interval2\n", } file { "/etc/vservers/${name}/sched/tokens-min": ensure => $ensure, content => "$tokens_min\n", } file { "/etc/vservers/${name}/sched/tokens-max": ensure => $ensure, content => "$tokens_max\n", } file { "/etc/vservers/${name}/sched/tokens": ensure => $ensure, content => "$tokens\n", } file { "/etc/vservers/${name}/sched/priority-bias": ensure => $ensure, content => "$priority_bias\n", } vs_cflags { "${name}-sched_hard": vserver => $name, flag => "sched_hard", ensure => $ensure, } case $ensure { present: { if $fill_rate != '' { $set_fill_rate = "--fill-rate $fill_rate" } if $fill_rate2 != '' { $set_fill_rate2 = "--fill-rate2 $fill_rate2" } if $interval != '' { $set_interval = "--interval $interval" } if $interval2 != '' { $set_interval2 = "--interval2 $interval2" } if $tokens_min != '' { $set_tokens_min = "--tokens-min $tokens_min" } if $tokens_max != '' { $set_tokens_max = "--tokens-max $tokens_max" } if $tokens != '' { $set_tokens = "--tokens $tokens" } if $priority_bias != '' { $set_priority_bias = "--prio-bias $priority_bias" } case $idle_time { true: { $set_idle_time = "--idle-time" file { "/etc/vservers/${name}/sched/idle-time": ensure => present, } } default: { file { "/etc/vservers/${name}/sched/idle-time": ensure => absent, } } } $vsched_params = "$set_fill_rate $set_fill_rate2 $set_interval $set_interval2 $set_tokens_min $set_tokens_max $set_tokens $set_idle_time $set_priority_bias" exec { "vsched --xid `cat /etc/vservers/$name/context` ${vsched_params} --force": subscribe => File["/etc/vservers/$name/sched/fill-rate", "/etc/vservers/$name/sched/fill-rate2", "/etc/vservers/$name/sched/interval", "/etc/vservers/$name/sched/interval2", "/etc/vservers/$name/sched/tokens-min", "/etc/vservers/$name/sched/tokens-max", "/etc/vservers/$name/sched/tokens", "/etc/vservers/$name/sched/idle-time"], refreshonly => true, require => Exec["vs_create_${name}"], } } } } define vs_cflags($vserver, $flag, $ensure = present) { if ! defined(File["/etc/vservers/${vserver}/cflags"]) { file { "/etc/vservers/${vserver}/cflags": ensure => present, } } line {"vs_cflags-${vserver}-${flag}": ensure => $ensure, file => "/etc/vservers/${vserver}/cflags", line => "${flag}", require => Exec["vs_create_${vserver}"], notify => Exec["vattribute-${vserver}-${flag}"], } case $ensure { present: { exec { "vattribute-${vserver}-${flag}": command => "vattribute --set --xid `cat /etc/vservers/$vserver/context` --flag ${flag}", refreshonly => true, require => exec["vs_create_${vserver}"], } } default: { exec { "vattribute-${vserver}-${flag}": command => "vattribute --set --xid `cat /etc/vservers/$vserver/context` --flag ~${flag}", refreshonly => true, require => exec["vs_create_${vserver}"], } } } }