def generate(host):
"""Args is the layers we should probe."""
domain = lib.get_domain(host)
layers = lib.get_layers(domain)
if domain == 'EVENT':
mount = '%s-mgmt' % lib.get_current_event()
else:
mount = 'mgmt'
info = {}
info['layers'] = {}
# Only configure layers that we should probe
for layer in layers:
config = {
'port': 161,
}
secret = lib.read_secret('%s/%s' % (mount, 'snmpv3:%s' % layer))
if secret:
try:
config.update(parse_v3(secret))
except KeyError:
# F-up, invalid layer config
continue
else:
secret = lib.read_secret('%s/%s' % (mount, 'snmpv2:%s' % layer))
if not secret:
# F-up, no layer config
continue
config.update(parse_v2(secret))
info['layers'][layer] = config
return {'snmpexporter': info}
def generate(host, *args):
# Get current event, used to get up-to-date switch conf
current_event = lib.get_current_event()
info = {}
info['current_event'] = current_event
return {'dnsstatd': info}
def generate(host, *args):
# Get current event, used to decide name of dhcpinfo database
current_event = lib.get_current_event()
info = {}
info['current_event'] = current_event
return {'dhcpinfo': info}
def generate(host, *args):
info = {
'grafana': {
'current_event': lib.get_current_event()
}
}
return info
def generate(host, *args):
current_event = lib.get_current_event()
ldap_server = sorted(lib.get_servers_for_node('ldap', host))[0]
info = {}
info['current_event'] = current_event
info['ldap_server'] = ldap_server
return {'obsdlogin': info}
def generate(host, *args):
current_event = lib.get_current_event()
info = {}
info['kubernetes::install'] = {}
if 'colo' in args:
info['colo_k8s'] = {}
else:
variant = args[1]
if 'worker' in args:
# find api server that maches the variant
apiserver = ""
for h, o in lib.get_nodes_with_package("kubernetes").items():
if "control" in o and variant in o:
apiserver = h
if apiserver == "":
raise Exception("k8s apiserver missing in ipplan")
secretpath = '{}-services/kube-{}:token'.format(
current_event, variant)
secrets = lib.read_secret(secretpath)
if not secrets:
raise Exception(
"Kubeadm token secret missing. Is master deployed?")
info['kubernetes::worker'] = {
'variant': variant,
'apiserver': apiserver,
'cert_hash': secrets['cert_hash'],
'token': secrets['token']
}
if 'control' in args:
servicenet = lib.match_networks_name("EVENT@" + variant.upper() +
".*K8S-SVC")
podnet = lib.match_networks_name("EVENT@" + variant.upper() +
".*K8S-POD")
if len(servicenet) == 0 or len(podnet) == 0:
raise Exception("service- and/or podnet not found in ipplan")
info['kubernetes::master'] = {
'variant': variant,
'podnet': podnet[0],
'servicenet': servicenet[0],
'current_event': current_event
}
return info
def generate(host, *args):
info = {}
local_targets = []
local_targets.append({
'job_name': 'prometheus',
'scheme': 'http',
'static_configs': [{
'targets': ['localhost:9090']
}]
})
info['prometheus'] = generate_backend(host, local_targets)
# Get current event
info['prometheus']['current_event'] = lib.get_current_event()
return info
def generate(host, *args):
info = {}
# get admins from ldap for usage in factorio as admins
info['admins'] = sorted(grp.getgrnam('factorio-admin-access').gr_mem)
# see if we have a group password for factorio, otherwise create it
if lib.get_domain(host) == 'EVENT':
event = lib.get_current_event()
secretpath = '{}-mgmt/factorio:{}'.format(event, host)
else:
secretpath = 'secrets/factorio:{}'.format(host)
secrets = lib.read_secret(secretpath)
if not secrets:
password = '******'
res = lib.save_secret(secretpath, password=password)
secrets = {'password': password}
info['password'] = secrets['password']
info['world_name'] = args[0]
return {'factorio': info}
def generate(host, *args):
current_event = lib.get_current_event()
proto_map = {
'ios': 'cisco',
'nxos': 'cisco',
'fortios': 'fortigate',
'iosxr': 'cisco-xr',
'wlc': 'cisco-wlc',
'junos': 'juniper'
}
router_db_lines = []
for router in lib.get_nodes_with_option('rncd', 'event'):
protocol = proto_map[lib.get_os(router)]
router_db_lines.append('%s;%s;up' % (router, protocol))
info = {}
info['current_event'] = current_event
info['router_db_lines'] = router_db_lines
return {'rancid': info}
def generate(host, *args):
allowed_hosts = ['::1/128']
for r in lib.get_firewall_rules_to(host):
if r.service == 'pgdb':
ipv4 = r.from_ipv4
if '/' not in ipv4:
ipv4 += '/32'
ipv6 = r.from_ipv6
if '/' not in ipv6:
ipv6 += '/128'
allowed_hosts.append(ipv4)
allowed_hosts.append(ipv6)
# Check first option for version
version = None
if len(args) > 0:
m = re.match(r'^v(\d+)$', args[0])
if m is not None:
version = m.group(1)
if version is None:
raise Exception('No or invalid version for PostgreSQL specified')
# Read list of database to create on this server
db_list = []
for arg in args[1:]:
db_list.append(arg)
current_event = lib.get_current_event()
info = {}
info['allowed_hosts'] = sorted(x.ljust(46) for x in allowed_hosts)
info['db_list'] = db_list
info['current_event'] = current_event
info['domain'] = get_domain(host)
info['version'] = version
return {'postgresql': info}
def generate(host, *args):
"""Generate ldaplogin information.
Args:
*args: list(str): list of groups allowed to log in in addition to the
default users.
special keywords:
- git: restrict non-sudo users to git-shell
- otp: allow use of otp
- [0-9]+: listen on given port
"""
my_domain = lib.get_domain(host)
ldap_servers = lib.get_nodes_with_package('ldap', my_domain)
ldap_replicas = sorted(k for k, v in ldap_servers.iteritems()
if 'master' not in v)
# We want to be able to mutate the list
args = list(args)
if not ldap_replicas:
# If we don't have any LDAP servers, don't include this module
return {}
# We're only using the lowest two parts of the FQDN for identity.
# LDAP doesn't allow period in group names, replace with slash.
ident = '-'.join(host.split('.')[0:2])
info = {}
# 'otp' is a special keyword to enable otp authentication on the host
if 'otp' in args:
args.remove('otp')
info['use_otp'] = True
# find numbers in args, use it for ports
# 22 used by default, 2022 used for jumpgates
info['ssh_ports'] = set([22, 2022])
for arg in args:
if re.match('^[0-9]+$', arg):
info['ssh_ports'].add(int(arg))
args.remove(arg)
info['ssh_ports'] = list(info['ssh_ports'])
# For sudo users we have two groups:
# For event: services-event
# For colo: services-colo
# (.. and the ident-sudo group)
info['sudo'] = [ident + '-sudo-access']
services_group = 'services-colo-team'
if my_domain == 'EVENT':
services_group = 'services-team'
info['sudo'].append(services_group)
groups = []
for arg in args:
if arg.startswith('sudo'):
_, group = arg.split(':', 2)
info['sudo'].append(group)
else:
groups.append(arg)
# 'git' is a special keyword to enable restricting users to git-shell
if 'git' in args:
args.remove('git')
info['gitshell'] = ','.join(['!' + x for x in info['sudo']]) + ',*'
# Who should be allowed to log in to this system?
info['logon'] = [
(ident + '-access', 'ALL EXCEPT LOCAL'),
]
# Allow sudo users to logon everywhere
for group in info['sudo']:
info['logon'].append((group, 'ALL'))
# Add all explicit groups
for group in groups:
# Allow local logins as well to allow scripts to auth users
formatted = group.format(event=lib.get_current_event())
info['logon'].append((formatted, 'ALL'))
# LDAP settings
info['ldap'] = {'servers': [], 'servers_ip': {}}
for server in ldap_replicas:
info['ldap']['servers'].append(server)
(server_ipv4, server_ipv6), = lib.resolve_nodes_to_ip([server
]).values()
info['ldap']['servers_ip'][server] = (server_ipv4, server_ipv6)
info['ldap']['base'] = 'dc=tech,dc=dreamhack,dc=se'
info['ldap']['mount'] = '/ldap'
info['ca'] = lib.read_secret('ssh/config/ca')['public_key']
info['host_cert'] = sign_host_key(host)
info['panic_users'] = sorted(grp.getgrnam(services_group).gr_mem)
generate_borg_passphrase(host)
return {'ldaplogin': info}
def login_path(host):
if lib.get_domain(host) == 'EVENT':
return '%s-services/login:%s' % (lib.get_current_event(), host)
return 'services/login:%s' % (host, )
def generate(host, *args):
current_event = lib.get_current_event()
info = {}
info['current_event'] = current_event
return {'asterisktftp': info}
def generate(host, mgmt_fqdn, *args):
"""Arg format is domain:host.
The OS of the host is used to get the backend type.
"""
vault_prefix = ''
if lib.get_domain(host) == 'EVENT':
vault_prefix = '%s-' % lib.get_current_event()
vault_mount = '%sservices' % vault_prefix
deploy_domain = lib.get_domain(host)
deploy_gw, _ = lib.get_network_gateway(deploy_domain + '@DEPLOY')
deploy_networks, _ = lib.get_networks_with_name(deploy_domain + '@DEPLOY')
deploy_network, deploy_prefix = deploy_networks.split('/', 2)
deploy_conf = {
'gateway': deploy_gw,
'network': deploy_network,
'prefix': deploy_prefix
}
info = {
'esxi': [],
'c7000': [],
'vault_mount': vault_mount,
'domain': lib.get_domain(host).lower(),
'deploy_conf': deploy_conf,
'ocp': False,
'ocp_domain': 'ocp-' + lib.get_domain(host).lower(),
'ocp_machines': []
}
if mgmt_fqdn != 'no-rfc1918':
mgmt_network, _ = lib.get_ipv4_network(mgmt_fqdn)
_, mgmt_prefix = mgmt_network.split('/', 2)
mgmt_ip = lib.resolve_nodes_to_ip([mgmt_fqdn])
info['mgmt_if'] = {'ip': mgmt_ip[mgmt_fqdn][0], 'prefix': mgmt_prefix}
for arg in args:
if arg == 'ocp':
info['ocp'] = True
ocp_macs = [{
'name': 'r0a0',
'mac': 'E41D2DFC296A',
'mgmt-mac': 'E41D2DFC296C'
}, {
'name': 'r0a1',
'mac': 'E41D2DFC2826',
'mgmt-mac': 'E41D2DFC2828'
}, {
'name': 'r0a2',
'mac': 'E41D2DFC5F58',
'mgmt-mac': 'E41D2DFC5F60'
}, {
'name': 'r0a3',
'mac': 'E41D2DFC4554',
'mgmt-mac': 'E41D2DFC4556'
}, {
'name': 'r0a4',
'mac': '7CFE904142EE',
'mgmt-mac': '7CFE904142F0'
}, {
'name': 'r0a5',
'mac': '7CFE9041826C',
'mgmt-mac': '7CFE9041826E'
}, {
'name': 'r0a6',
'mac': '7CFE90413FE8',
'mgmt-mac': '7CFE90413FEA'
}, {
'name': 'r0a7',
'mac': 'E41D2DD3C842',
'mgmt-mac': 'E41D2DD3C844'
}, {
'name': 'r0a8',
'mac': 'E41D2DFC2B08',
'mgmt-mac': 'E41D2DFC2B0A'
}, {
'name': 'r0a9',
'mac': '7CFE9041327A',
'mgmt-mac': '7CFE9041327C'
}, {
'name': 'r0b0',
'mac': '7CFE904103EE',
'mgmt-mac': '7CFE904103F0'
}, {
'name': 'r0b1',
'mac': 'E41D2DFC2B50',
'mgmt-mac': 'E41D2DFC2B52'
}, {
'name': 'r0b2',
'mac': '7CFE904136A0',
'mgmt-mac': '7CFE904136A2'
}, {
'name': 'r0b3',
'mac': 'E41D2DFC4164',
'mgmt-mac': 'E41D2DFC4164'
}, {
'name': 'r0b4',
'mac': '7CFE90428E2C',
'mgmt-mac': '7CFE90428E2E'
}, {
'name': 'r0b5',
'mac': '7CFE9041FE08',
'mgmt-mac': '7CFE9041FE0A'
}, {
'name': 'r0b6',
'mac': 'E41D2DFC177C',
'mgmt-mac': 'E41D2DFC177E'
}, {
'name': 'r0b7',
'mac': 'E41D2DFCC594',
'mgmt-mac': 'E41D2DFCC596'
}, {
'name': 'r0b8',
'mac': 'E41D2DFC2A30',
'mgmt-mac': 'E41D2DFC2A32'
}, {
'name': 'r0b9',
'mac': 'E41D2DFCC180',
'mgmt-mac': 'E41D2DFCC182'
}, {
'name': 'r0c0',
'mac': 'E41D2DFCC648',
'mgmt-mac': 'E41D2DFCC64A'
}, {
'name': 'r0c1',
'mac': '7CFE90428088',
'mgmt-mac': '7CFE9042808A'
}, {
'name': 'r0c2',
'mac': '7CFE904182EA',
'mgmt-mac': '7CFE904182EC'
}, {
'name': 'r0c3',
'mac': 'E41D2DFC890A',
'mgmt-mac': 'E41D2DFC890C'
}, {
'name': 'r0c4',
'mac': '7CFE90418224',
'mgmt-mac': '7CFE90418226'
}, {
'name': 'r0c5',
'mac': 'E41D2DFC2838',
'mgmt-mac': 'E41D2DFC283A'
}, {
'name': 'r0c6',
'mac': '7CFE90428E98',
'mgmt-mac': '7CFE90428E9A'
}, {
'name': 'r0c7',
'mac': '7CFE90429C60',
'mgmt-mac': '7CFE90429C62'
}, {
'name': 'r0c8',
'mac': '7CFE90429CF0',
'mgmt-mac': '7CFE90429CF2'
}, {
'name': 'r0c9',
'mac': '7CFE9041AAC8',
'mgmt-mac': '7CFE9041AACA'
}, {
'name': 'r1a0',
'mac': 'E41D2DFC17D6',
'mgmt-mac': 'E41D2DFC17D8'
}, {
'name': 'r1a1',
'mac': '248A07907064',
'mgmt-mac': '248A07907066'
}, {
'name': 'r1a2',
'mac': '7CFE9041328C',
'mgmt-mac': '7CFE9041328E'
}, {
'name': 'r1a3',
'mac': 'E41D2DFC16B6',
'mgmt-mac': 'E41D2DFC16B8'
}, {
'name': 'r1a4',
'mac': '7CFE90423F24',
'mgmt-mac': '7CFE90423F26'
}, {
'name': 'r1a5',
'mac': '7CFE9041CE02',
'mgmt-mac': '7CFE9041CE04'
}, {
'name': 'r1a6',
'mac': '7CFE9041102A',
'mgmt-mac': '7CFE9041102C'
}, {
'name': 'r1a7',
'mac': '7CFE9042C53A',
'mgmt-mac': '7CFE9042C53C'
}, {
'name': 'r1a8',
'mac': '7CFE9042C6A2',
'mgmt-mac': '7CFE9042C6A4'
}, {
'name': 'r1a9',
'mac': '7CFE90423DF2',
'mgmt-mac': '7CFE90423DF4'
}, {
'name': 'r1b0',
'mac': 'E41D2DFC7F7A',
'mgmt-mac': 'E41D2DFC7F7C'
}, {
'name': 'r1b1',
'mac': '248A079070AC',
'mgmt-mac': '248A079070AE'
}, {
'name': 'r1b2',
'mac': 'E41D2DFC8E86',
'mgmt-mac': 'E41D2DFC8E88'
}, {
'name': 'r1b3',
'mac': '7CFE90428F5E',
'mgmt-mac': '7CFE90428F60'
}, {
'name': 'r1b4',
'mac': 'E41D2D54019C',
'mgmt-mac': 'E41D2D54019E'
}, {
'name': 'r1b5',
'mac': '7CFE9042E1B4',
'mgmt-mac': '7CFE9042E1B6'
}, {
'name': 'r1b6',
'mac': '7CFE9041FEF2',
'mgmt-mac': '7CFE9041FEF4'
}, {
'name': 'r1b7',
'mac': '7CFE90412B3C',
'mgmt-mac': '7CFE90412B3E'
}, {
'name': 'r1b8',
'mac': '7CFE90410ED4',
'mgmt-mac': '7CFE90410ED6'
}, {
'name': 'r1b9',
'mac': '7CFE9041A516',
'mgmt-mac': '7CFE9041A518'
}, {
'name': 'r1c0',
'mac': 'E41D2DFC2A8A',
'mgmt-mac': 'E41D2DFC2A8C'
}, {
'name': 'r1c1',
'mac': 'E41D2D53FF5C',
'mgmt-mac': 'E41D2D53FF5E'
}, {
'name': 'r1c2',
'mac': '7CFE90424188',
'mgmt-mac': '7CFE9042418A'
}, {
'name': 'r1c3',
'mac': 'E41D2DFCCE28',
'mgmt-mac': 'E41D2DFCCE2A'
}, {
'name': 'r1c4',
'mac': '7CFE90422946',
'mgmt-mac': '7CFE90422948'
}, {
'name': 'r1c5',
'mac': '7CFE9042E340',
'mgmt-mac': '7CFE9042E342'
}, {
'name': 'r1c6',
'mac': '7CFE9041354A',
'mgmt-mac': '7CFE9041354C'
}, {
'name': 'r1c7',
'mac': '7CFE9041AB34',
'mgmt-mac': '7CFE9041AB36'
}, {
'name': 'r1c8',
'mac': '7CFE9042CB34',
'mgmt-mac': '7CFE9042CB36'
}, {
'name': 'r1c9',
'mac': 'E41D2DFC2A66',
'mgmt-mac': 'E41D2DFC2A68'
}]
# Building dhcp static lease configuration for dhcpd.
leases = []
lastoctet = 100
for line in ocp_macs:
t = iter(line['mgmt-mac'])
mgmt_mac = ':'.join(a + b for a, b in zip(t, t))
d = {}
d['name'] = line['name']
d['mac'] = line['mac']
d['macshort'] = line['mac']
d['mgmt-mac'] = mgmt_mac
d['ip'] = '10.32.12.' + str(lastoctet)
lastoctet += 1
leases.append(d)
info['ocp_machines'].extend(leases)
continue
domain, host = arg.split(':', 2)
os = lib.get_os(host)
ip = lib.resolve_nodes_to_ip([host])
backend = {'ip': ip[host][0], 'fqdn': host, 'domain': domain}
if os == 'vcenter' or os == 'esxi':
info['esxi'].append(backend)
elif os == 'c7000':
info['c7000'].append(backend)
return {'provision': info}
def generate(host, *args):
# Decide if we are the active node:
if 'active' in args:
active = 1
else:
active = 0
# Get fqdn of active node
active_node = 'dhcp1.event.dreamhack.se'
for (k, v) in lib.get_nodes_with_package('dhcpd',
lib.get_domain(host)).items():
if v == [u'active']:
active_node = k
break
# Fetch DHCP scopes
scopes = lib.sqlite2dhcp_scope.App(['-', '/etc/ipplan.db',
'-']).run_from_puppet()
# Get the subnet the dhcpd lives at in CIDR notation
local_subnet_cidr = lib.get_ipv4_network(host)[0]
local_subnet = local_subnet_cidr.split('/')[0]
local_cidr = int(local_subnet_cidr.split('/')[1])
# Convert CIDR to netmask
bitmask = 0xffffffff ^ (1 << 32 - local_cidr) - 1
local_netmask = inet_ntop(AF_INET, pack('!I', bitmask))
# Set ntp-servers
ntp_servers = ", ".join(lib.get_servers_for_node('ntpd', host))
if not ntp_servers:
ntp_servers = ('0.pool.ntp.org, '
'1.pool.ntp.org, '
'2.pool.ntp.org, '
'3.pool.ntp.org')
# Set domain-name-servers
resolver_ipv4_addresses = []
for hostname, addresses in lib.resolve_nodes_to_ip(
lib.get_servers_for_node('resolver', host)).iteritems():
resolver_ipv4_addresses.append(addresses[0])
resolver_ipv4_addresses.sort()
domain_name_servers = ", ".join(resolver_ipv4_addresses)
if not domain_name_servers:
domain_name_servers = '8.8.8.8, 8.8.4.4'
# Set tftp-server-name
tftp_server_name_address = lib.resolve_nodes_to_ip(
['pxe.event.dreamhack.se'])
tftp_server_name = tftp_server_name_address['pxe.event.dreamhack.se'][0]
# Set next-server
next_server_addresses = lib.resolve_nodes_to_ip(['pxe.event.dreamhack.se'])
next_server = next_server_addresses['pxe.event.dreamhack.se'][0]
# Get current event, used to decide name of dhcpinfo database
current_event = lib.get_current_event()
info = {}
info['active'] = active
info['active_node'] = active_node
info['scopes'] = scopes
info['ntp_servers'] = ntp_servers
info['domain_name_servers'] = domain_name_servers
info['tftp_server_name'] = tftp_server_name
info['next_server'] = next_server
info['local_subnet'] = local_subnet
info['local_netmask'] = local_netmask
info['current_event'] = current_event
return {'dhcpd': info}