pbsready.cfg.in 8.97 KB
Newer Older
1 2
[buildout]

3
parts +=
4
  logrotate-entry-cron
5
  logrotate-entry-equeue
6
  logrotate-entry-notifier
7
  logrotate-entry-resilient
8
  cron
9
  cron-entry-notifier-status-feed
10
  notifier-feed-status-promise
11
  notifier-stalled-promise
12
  resilient-sshkeys-authority
13
  sshd-raw-server
14 15 16 17 18
  sshd-graceful
  sshkeys-sshd
  sshd-promise
  resilient-sshkeys-sshd-promise
  sshd-pbs-authorized-key
19
  notifier
20

21

22 23 24
extends =
  ${monitor2-template:rendered}

25 26 27 28
[slap-network-information]
local-ipv4 = $${slap-configuration:ipv4-random}
global-ipv6 = $${slap-configuration:ipv6-random}

29 30 31 32
#----------------
#--
#-- Creation of all needed directories.

33 34 35 36 37 38 39
[rootdirectory]
recipe = slapos.cookbook:mkdirectory
etc = $${buildout:directory}/etc
var = $${buildout:directory}/var
srv = $${buildout:directory}/srv
bin = $${buildout:directory}/bin

40
[basedirectory]
41 42 43 44
recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run
45
scripts = $${rootdirectory:etc}/run
46
backup = $${rootdirectory:srv}/backup
47
services = $${rootdirectory:etc}/service
Marco Mariani's avatar
Marco Mariani committed
48 49
cache = $${rootdirectory:var}/cache
notifier = $${rootdirectory:etc}/notifier
50 51

[directory]
52
recipe = slapos.cookbook:mkdirectory
53 54 55
backup = $${basedirectory:backup}/$${slap-parameter:namebase}
ssh = $${rootdirectory:etc}/ssh/
sshkeys = $${rootdirectory:srv}/sshkeys
Marco Mariani's avatar
Marco Mariani committed
56 57
notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks
58
notifier-status-items = $${basedirectory:notifier}/status-items
59 60 61
cron-entries = $${rootdirectory:etc}/cron.d
crontabs = $${rootdirectory:etc}/crontabs
cronstamps = $${rootdirectory:etc}/cronstamps
62
cgi-bin = $${rootdirectory:srv}/cgi-bin
63
monitor-resilient = $${monitor-directory:private}/resilient
64

65

66 67 68
#----------------
#--
#-- Deploy cron.
69
# cron and cron-simplelogger are deployed by logrotate.
70 71 72 73 74 75

#----------------
#--
#-- Deploy logrotate.

[logrotate-entry-equeue]
76
<= logrotate-entry-base
77
name = equeue
78
log = $${equeue:log} $${sshd-server:log}
79 80
frequency = daily
rotate-num = 30
81

82
[logrotate-entry-notifier]
83 84 85 86 87 88
<= logrotate-entry-base
name = notifier
log = $${notifier:feeds}/*
rotate-num = 5
frequency = weekly
nocompress = 1
89

90
[logrotate-entry-resilient]
91
<= logrotate-entry-base
92 93 94 95 96
name = resilient_log
log = $${basedirectory:log}/resilient.log
frequency = weekly
rotate-num = 7

97 98
#----------------
#--
99
#-- Sets up an rdiff-backup server (with a openssh server for ssh)
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115

[rdiff-backup-server]
recipe = slapos.cookbook:pbs
client = false
path = $${directory:backup}
wrapper = $${rootdirectory:bin}/rdiffbackup-server
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup


#----------------
#--
#-- Set up the equeue and notifier.

[equeue]
recipe = slapos.cookbook:equeue
socket = $${basedirectory:run}/equeue.sock
116
lockfile = $${basedirectory:run}/equeue.lock
117 118 119 120 121 122 123 124
log = $${basedirectory:log}/equeue.log
database = $${rootdirectory:srv}/equeue.db
wrapper = $${basedirectory:services}/equeue
equeue-binary = ${buildout:bin-directory}/equeue

# notifier.notify adds the [exporter, notifier] to the execution queue
# notifier.notify.callback sets up a callback
[notifier]
125 126 127 128 129
recipe = slapos.recipe.template:jinja2
template = ${template-wrapper:output}
rendered = $${:wrapper}
wrapper = $${basedirectory:services}/notifier
mode = 0700
130
feeds = $${directory:notifier-feeds}
131 132
callbacks-directory = $${directory:notifier-callbacks}
command = ${buildout:bin-directory}/pubsubserver --callbacks $${:callbacks-directory} --feeds $${:feeds} --equeue-socket $${equeue:socket} --logfile $${basedirectory:log}/notifier.log $${:host} $${:port}
133
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
134
host = $${slap-network-information:global-ipv6}
135
port = $${notifier-port:port}
136
instance-root-name = $${monitor-instance-parameter:root-instance-title}
137
log-url = $${monitor-publish-parameters:monitor-base-url}/resilient/notifier-status-rss
138
status-item-directory = $${directory:notifier-status-items}
139 140
context =
  key content notifier:command
141

142 143 144 145 146 147 148 149 150 151 152 153 154
[notifier-resilient-status-feed]
recipe = slapos.cookbook:wrapper
command-line = ${buildout:directory}/bin/generatefeed --output $${:feed-path} --status-item-path $${notifier:status-item-directory} --title "Status feed for $${notifier:instance-root-name}" --link $${notifier:log-url}
feed-path = $${directory:monitor-resilient}/notifier-status-rss
wrapper-path = $${rootdirectory:bin}/resilient-genstatusrss.py

[cron-entry-notifier-status-feed]
<= cron
recipe = slapos.cookbook:cron.d
name = resilient-notifier-status-feed
frequency = */5 * * * *
command = $${notifier-resilient-status-feed:wrapper-path}

155
[notifier-stalled-promise-bin]
156 157 158
recipe = slapos.cookbook:wrapper
# time-buffer is 24h (+1h of latitude)
command-line = ${buildout:bin-directory}/check-feed-as-promise --feed-path $${notifier-resilient-status-feed:feed-path} --title --ok-pattern 'OK' --time-buffer 90000
159 160 161 162 163 164 165
wrapper-path = $${rootdirectory:bin}/stalled-notifier-callbacks

[notifier-stalled-promise]
<= monitor-promise-base
module = check_command_execute
name = stalled-notifier-callbacks.py
config-command = $${notifier-stalled-promise-bin:wrapper-path}
166

167 168
#----------------
#--
169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188
#-- OpenSSH.
[resilient-sshd-config]
# XXX: Add timeout support
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
 PidFile $${:path_pid}
 Port $${sshd-port:port}
 ListenAddress $${slap-network-information:global-ipv6}
 Protocol 2
 UsePrivilegeSeparation no
 HostKey $${directory:ssh}/server_key.rsa
 AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
 PasswordAuthentication no
 PubkeyAuthentication yes
 ForceCommand $${rdiff-backup-server:wrapper}

[sshd-raw-server]
recipe = slapos.cookbook:wrapper
189 190
host = $${slap-network-information:global-ipv6}
rsa-keyfile = $${directory:ssh}/server_key.rsa
191 192 193
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
194

195 196
[sshd-pbs-authorized-key]
<= sshd-raw-server
197
recipe = slapos.cookbook:dropbear.add_authorized_key
198
key = {{ slapparameter_dict.get('authorized-key', '') }}
199

200
[sshd-server]
201 202 203
recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh
204
    exec $${sshd-raw-server:wrapper-path} >> $${:log} 2>&1
205 206 207

output = $${rootdirectory:bin}/raw_sshd_log
mode = 700
208

209 210
[sshd-graceful]
recipe = slapos.cookbook:wrapper
211
command-line = $${rootdirectory:bin}/killpidfromfile $${resilient-sshd-config:path_pid} SIGHUP
212 213 214
wrapper-path = $${basedirectory:scripts}/sshd-graceful

[sshd-promise]
215 216 217 218 219
<= monitor-promise-base
module = check_port_listening
name = sshd.py
config-hostname = $${slap-network-information:global-ipv6}
config-port = $${sshd-port:port}
220

221 222 223 224
#----------------
#--
#-- sshkeys

225 226
[sshkeys-directory]
recipe = slapos.cookbook:mkdirectory
227 228
requests = $${directory:sshkeys}/resilient-requests
keys = $${directory:sshkeys}/resilient-keys
229

230
[resilient-sshkeys-authority]
231 232 233
recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
234
wrapper = $${basedirectory:services}/resilient_sshkeys_authority
235
keygen-binary = ${openssh:location}/bin/ssh-keygen
236

237
[sshkeys-sshd]
238
<= resilient-sshkeys-authority
239
recipe = slapos.cookbook:sshkeys_authority.request
240
name = sshd
241
type = rsa
242 243 244
executable = $${sshd-server:output}
public-key = $${sshd-raw-server:rsa-keyfile}.pub
private-key = $${sshd-raw-server:rsa-keyfile}
245 246
wrapper = $${basedirectory:services}/sshd

247
[resilient-sshkeys-sshd-promise-bin]
248 249
# Check that public key file exists and is not empty
recipe = collective.recipe.template
250
input = inline:#!${bash:location}/bin/bash
251
  PUBLIC_KEY_CONTENT="$${sshkeys-sshd:public-key-value}"
252
  if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
253 254
    exit 1
  fi
255
output = $${rootdirectory:bin}/public-key-existence
256
mode = 700
257

258 259 260 261 262 263
[resilient-sshkeys-sshd-promise]
<= monitor-promise-base
module = check_command_execute
name = public-key-existence.py
config-command = $${resilient-sshkeys-sshd-promise-bin:output}

264 265 266 267
#----------------
#--
#-- Promises

268
[notifier-feed-status-promise-bin]
269 270
recipe = slapos.recipe.template:jinja2
template = ${notifier-feed-promise-template:target}
271
rendered = $${rootdirectory:bin}/notifier-feed-check-malformed-or-failure.py
272 273 274 275 276 277
mode = 700
context =
  key notifier_feed_directory directory:notifier-feeds
  raw base_url http://[$${notifier:host}]:$${notifier:port}/get/
  raw python_executable ${buildout:executable}

278 279 280 281 282
[notifier-feed-status-promise]
<= monitor-promise-base
module = check_command_execute
name = notifier-feed-check-malformed-or-failure.py
config-command = $${notifier-feed-status-promise-bin:rendered}
283 284
#----------------
#--
285
#-- Connection informations to re-use.
286 287 288 289

[user-info]
recipe = slapos.cookbook:userinfo

290 291 292
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish
293
ssh-public-key = $${sshkeys-sshd:public-key-value}
294
resilient-ssh-url = ssh://$${user-info:pw-name}@[$${sshd-raw-server:host}]:$${sshd-port:port}/$${rdiff-backup-server:path}
295
ip = $${slap-network-information:global-ipv6}