From 5feedbb4f3e35cfb63201a360a685127b2608345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 26 Jun 2018 01:04:09 +0200 Subject: Allow host to replicate the cluster from backup --- modules/profile/manifests/postgresql_master.pp | 50 ++++++++--------- modules/role/manifests/backup/postgresql.pp | 62 +++++++++++++++++++--- .../templates/backup/pam_ldap_pgbouncer.conf.erb | 2 +- python/reboot_ovh_cloud_instance.py | 3 ++ 4 files changed, 84 insertions(+), 33 deletions(-) diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp index 9966f0d..6f8854d 100644 --- a/modules/profile/manifests/postgresql_master.pp +++ b/modules/profile/manifests/postgresql_master.pp @@ -83,33 +83,33 @@ define profile::postgresql_master ( ensure => present } } + } - $ldap_server = lookup("base_installation::ldap_server") - $ldap_base = lookup("base_installation::ldap_base") - $ldap_dn = lookup("base_installation::ldap_dn") - $ldap_password = generate_password(24, $password_seed, "ldap") - $ldap_attribute = "cn" + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "cn" - file { "/etc/pam_ldap.d": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - } -> - file { "/etc/pam_ldap.d/postgresql.conf": - ensure => "present", - mode => "0600", - owner => $::profile::postgresql::pg_user, - group => "root", - content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), - } -> - file { "/etc/pam.d/postgresql": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - source => "puppet:///modules/profile/postgresql_master/pam_postgresql" - } + file { "/etc/pam_ldap.d": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } -> + file { "/etc/pam_ldap.d/postgresql.conf": + ensure => "present", + mode => "0600", + owner => $::profile::postgresql::pg_user, + group => "root", + content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), + } -> + file { "/etc/pam.d/postgresql": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/postgresql_master/pam_postgresql" } } diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index b26773c..9e1c9f7 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp @@ -13,7 +13,7 @@ class role::backup::postgresql inherits role::backup { $ldap_server = lookup("base_installation::ldap_server") $ldap_base = lookup("base_installation::ldap_base") $ldap_dn = lookup("base_installation::ldap_dn") - $ldap_attribute = "uid" + $pgbouncer_ldap_attribute = "uid" $pg_slot = regsubst($ldap_cn, '-', "_", "G") @@ -71,18 +71,13 @@ class role::backup::postgresql inherits role::backup { ], } - file { "/etc/pam_ldap.d": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - } -> file { "/etc/pam_ldap.d/pgbouncer.conf": ensure => "present", mode => "0600", owner => $pg_user, group => "root", content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), + require => File["/etc/pam_ldap.d"], } -> file { "/etc/pam.d/pgbouncer": ensure => "present", @@ -94,6 +89,29 @@ class role::backup::postgresql inherits role::backup { } } + $ldap_attribute = "cn" + + file { "/etc/pam_ldap.d": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } -> + file { "/etc/pam_ldap.d/postgresql.conf": + ensure => "present", + mode => "0600", + owner => $pg_user, + group => "root", + content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), + } -> + file { "/etc/pam.d/postgresql": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/postgresql_master/pam_postgresql" + } + $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { $host = find_host($facts["ldapvar"]["other"], $backup_host_cn) if empty($host) { @@ -108,6 +126,31 @@ class role::backup::postgresql inherits role::backup { $pg_host = "$pg_backup_host" $pg_port = $pg_infos["dbport"] + unless empty($host) { + $host["ipHostNumber"].each |$ip| { + $infos = split($ip, "/") + $ipaddress = $infos[0] + if (length($infos) == 1 and $ipaddress =~ /:/) { + $mask = "128" + } elsif (length($infos) == 1) { + $mask = "32" + } else { + $mask = $infos[1] + } + + postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask": + type => 'hostssl', + database => 'replication', + user => $backup_host_cn, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + } + } + if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { concat::fragment { "pgbouncer_$pg_backup_host": target => "/etc/pgbouncer/pgbouncer.ini", @@ -292,6 +335,11 @@ class role::backup::postgresql inherits role::backup { Concat["$pg_path/pg_hba.conf"], Concat["$pg_path/recovery.conf"], File["$pg_path/postgresql.conf"], + ], + subscribe => [ + Concat["$pg_path/pg_hba.conf"], + Concat["$pg_path/recovery.conf"], + File["$pg_path/postgresql.conf"], ] } } diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb index 12fa9bb..384a418 100644 --- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb +++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb @@ -3,5 +3,5 @@ host <%= @ldap_server %> base <%= @ldap_base %> binddn <%= @ldap_dn %> bindpw <%= @ldap_password %> -pam_login_attribute <%= @ldap_attribute %> +pam_login_attribute <%= @pgbouncer_ldap_attribute %> pam_filter <%= @ldap_filter %> diff --git a/python/reboot_ovh_cloud_instance.py b/python/reboot_ovh_cloud_instance.py index bd70e0b..1e88c89 100644 --- a/python/reboot_ovh_cloud_instance.py +++ b/python/reboot_ovh_cloud_instance.py @@ -25,6 +25,9 @@ if netboot_mode is not None: result = client.post("/cloud/project/{}/instance/{}/rescueMode".format(project, instance["id"]), imageId=instance["imageId"], rescue=(netboot_mode == "rescue")) print(result) +else: + result = client.post("/cloud/project/{}/instance/{}/reboot".format(project, instance["id"]), type="soft") + print(result) # reboot normal: #result = client.post("/cloud/project/{}/instance/{}/reboot".format(project, instance["id"]), type="soft") -- cgit v1.2.3 From cc278743bffea94197755c0d114389f5fd69596a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 27 Jun 2018 12:37:18 +0200 Subject: Listen to port depending on host variable --- modules/role/manifests/backup/postgresql.pp | 14 +++++++++++++- modules/role/templates/backup/postgresql.conf.erb | 7 ++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 9e1c9f7..aef177b 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp @@ -121,6 +121,12 @@ class role::backup::postgresql inherits role::backup { } else { $pg_backup_host = $host["vars"]["real_hostname"][0] } + if has_key($host["vars"], "postgresql_backup_port") { + $pg_listen_port = $host["vars"]["postgresql_backup_port"][0] + } else { + $pg_listen_port = undef + } + $pg_path = "$mountpoint/$pg_backup_host/postgresql" $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup" $pg_host = "$pg_backup_host" @@ -152,10 +158,16 @@ class role::backup::postgresql inherits role::backup { } if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { + if empty($pg_listen_port) { + $pg_listen_port_key = "" + } else { + $pg_listen_port_key = "port=$pg_listen_port" + } + concat::fragment { "pgbouncer_$pg_backup_host": target => "/etc/pgbouncer/pgbouncer.ini", order => 02, - content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", + content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", } postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb index 860089b..c4d223e 100644 --- a/modules/role/templates/backup/postgresql.conf.erb +++ b/modules/role/templates/backup/postgresql.conf.erb @@ -1,5 +1,10 @@ +<%- if !@pg_listen_port.nil? -%> +listen_addresses= '*' +port = <%= @pg_listen_port %> +ssl = on +<%- else -%> listen_addresses= '' +<%- end %> unix_socket_directories = '<%= @pg_path %>' data_directory = '<%= @pg_path %>' wal_level = logical - -- cgit v1.2.3 From 2f3d3a34ab0b3fd31bd84e4c935954740313dbed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 27 Jun 2018 13:10:32 +0200 Subject: Add ssl certificate for postgresql connection --- modules/role/manifests/backup/postgresql.pp | 30 ++++++++++++++++++++--- modules/role/templates/backup/postgresql.conf.erb | 2 ++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index aef177b..ee62a00 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp @@ -121,16 +121,38 @@ class role::backup::postgresql inherits role::backup { } else { $pg_backup_host = $host["vars"]["real_hostname"][0] } + + $pg_path = "$mountpoint/$pg_backup_host/postgresql" + $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup" + $pg_host = "$pg_backup_host" + $pg_port = $pg_infos["dbport"] + if has_key($host["vars"], "postgresql_backup_port") { $pg_listen_port = $host["vars"]["postgresql_backup_port"][0] + file { "$pg_path/certs": + ensure => directory, + mode => "0700", + owner => $pg_user, + group => $pg_group, + } -> + ssl::self_signed_certificate { $backup_host_cn: + common_name => $backup_host_cn, + country => "FR", + days => "3650", + organization => "Immae", + owner => $pg_user, + group => $pg_group, + directory => "$pg_path/certs", + before => File["$pg_path/postgresql.conf"], + } + $ssl_key = "$pg_path/certs/$backup_host_cn.key" + $ssl_cert = "$pg_path/certs/$backup_host_cn.crt" } else { $pg_listen_port = undef + $ssl_key = undef + $ssl_cert = undef } - $pg_path = "$mountpoint/$pg_backup_host/postgresql" - $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup" - $pg_host = "$pg_backup_host" - $pg_port = $pg_infos["dbport"] unless empty($host) { $host["ipHostNumber"].each |$ip| { diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb index c4d223e..8741507 100644 --- a/modules/role/templates/backup/postgresql.conf.erb +++ b/modules/role/templates/backup/postgresql.conf.erb @@ -2,6 +2,8 @@ listen_addresses= '*' port = <%= @pg_listen_port %> ssl = on +ssl_key_file = '<%= @ssl_key %>' +ssl_cert_file = '<%= @ssl_cert %>' <%- else -%> listen_addresses= '' <%- end %> -- cgit v1.2.3