def _configure_git_repo(): ygg.send_event('Deployment configuration', 'The git version control tool is now being configured.') if os.path.exists('/var/git/projects'): local('rm -rf /var/git/projects') local('mkdir -p /var/git/projects') local("chmod g+s /var/git/projects") ygg.send_event('Deployment configuration', 'The git version control tool is now managing testing and deployments for this site.')
def _test_for_previous_run(): if os.path.exists("/etc/pantheon/incep"): # If the server has a certificate, send an event. if os.path.exists("/etc/pantheon/system.pem"): ygg.send_event( 'Restart', 'This site\'s server was restarted, but it is already configured.' ) abort("Pantheon config has already run. Exiting.")
def _configure_server(server): ygg.send_event('Software updates', 'Configuration updates have started.') # Get any new packages. #server.update_packages() # Update pantheon code, run bcfg2, restart Jenkins. update.update_pantheon(postback=False) # Create the tunable files. local('cp /etc/pantheon/templates/tuneables /etc/pantheon/server_tuneables') local('chmod 755 /etc/pantheon/server_tuneables') ygg.send_event('Software updates', 'Configuration updates have finished.')
def _configure_server(server): ygg.send_event('Software updates', 'Package updates have started.') # Get any new packages. server.update_packages() # Update pantheon code, run bcfg2, restart jenkins. update.update_pantheon(first_boot=True) # Create the tunable files. local('cp /etc/pantheon/templates/tuneables /etc/pantheon/server_tuneables') local('chmod 755 /etc/pantheon/server_tuneables') ygg.send_event('Software updates', 'Package updates have finished.')
def _configure_certificates(): # Just in case we're testing, we need to ensure this path exists. local('mkdir -p /etc/pantheon') pantheon.configure_root_certificate('http://pki.getpantheon.com') # Now Helios cert is OTS pki_server = 'https://pki.getpantheon.com' # Ask Helios about what to put into the certificate request. try: host_info = json.loads(urllib2.urlopen('%s/info' % pki_server).read()) ou = host_info['ou'] cn = host_info['cn'] subject = '/C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=%s/CN=%s/emailAddress=hostmaster@%s/' % ( ou, cn, cn) except ValueError: # This fails if Helios says "Could not find corresponding LDAP entry." return False # Generate a local key and certificate-signing request. local('openssl genrsa 4096 > /etc/pantheon/system.key') local('chmod 600 /etc/pantheon/system.key') local( 'openssl req -new -nodes -subj "%s" -key /etc/pantheon/system.key > /etc/pantheon/system.csr' % subject) # Have the PKI server sign the request. local( 'curl --silent -X POST -d"`cat /etc/pantheon/system.csr`" %s > /etc/pantheon/system.crt' % pki_server) # Combine the private key and signed certificate into a PEM file (for Apache and Pound). local( 'cat /etc/pantheon/system.crt /etc/pantheon/system.key > /etc/pantheon/system.pem' ) local('chmod 640 /etc/pantheon/system.pem') local('chgrp ssl-cert /etc/pantheon/system.pem') # Start pound, which has been waiting for system.pem local('/etc/init.d/pound start') # Update BCFG2's client configuration to use the zone (a.k.a. OU) from the certificate local( 'sed -i "s/^bcfg2 = .*/bcfg2 = https:\/\/config.%s:6789/g" /etc/bcfg2.conf' % ou) # Wait 20 seconds so print 'Waiting briefly so slight clock skew does not affect certificate verification.' time.sleep(20) verification = local('openssl verify -verbose /etc/pantheon/system.crt') print verification ygg.send_event('Authorization', 'Certificate issued. Verification result:\n' + verification)
def _configure_server(server): ygg.send_event('Software updates', 'Package updates have started.') # Get any new packages. server.update_packages() # Update pantheon code, run bcfg2, restart jenkins. update.update_pantheon(first_boot=True) # Create the tunable files. local( 'cp /etc/pantheon/templates/tuneables /etc/pantheon/server_tuneables') local('chmod 755 /etc/pantheon/server_tuneables') ygg.send_event('Software updates', 'Package updates have finished.')
def _configure_iptables(server): ygg.send_event('Firewall configuration', 'The kernel\'s iptables module is now being configured.') if server.distro == 'centos': local('sed -i "s/#-A/-A/g" /etc/sysconfig/iptables') local('/sbin/iptables-restore < /etc/sysconfig/iptables') else: local('sed -i "s/#-A/-A/g" /etc/iptables.rules') local('/sbin/iptables-restore < /etc/iptables.rules') rules = open('/etc/iptables.rules').read() ygg.send_event('Firewall configuration', 'The kernel\'s iptables module is now blocking unauthorized traffic. Rules in effect:\n' + rules)
def _configure_postfix(server): ygg.send_event('Email delivery configuration', 'Postfix is now being configured.') hostname = server.get_hostname() with open('/etc/mailname', 'w') as f: f.write(hostname) local('/usr/sbin/postconf -e "myhostname = %s"' % hostname) local('/usr/sbin/postconf -e "mydomain = %s"' % hostname) local('/usr/sbin/postconf -e "mydestination = %s"' % hostname) local('/etc/init.d/postfix restart') ygg.send_event('Email delivery configuration', 'Postfix is now online.')
def _report(): '''Phone home - helps us to know how many users there are without passing \ any identifying or personal information to us. ''' print('##############################') print('# Pantheon Setup Complete! #') print('##############################') local('echo "DEAR SYSADMIN: PANTHEON IS READY FOR YOU NOW." | wall') ygg.send_event('Platform configuration', 'The Pantheon platform is now running.')
def _configure_certificates(): # Just in case we're testing, we need to ensure this path exists. local('mkdir -p /etc/pantheon') pantheon.configure_root_certificate('http://pki.getpantheon.com') # Now Helios cert is OTS pki_server = 'https://pki.getpantheon.com' # Ask Helios about what to put into the certificate request. try: host_info = json.loads(urllib2.urlopen('%s/info' % pki_server).read()) ou = host_info['ou'] cn = host_info['cn'] subject = '/C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=%s/CN=%s/emailAddress=hostmaster@%s/' % (ou, cn, cn) except ValueError: # This fails if Helios says "Could not find corresponding LDAP entry." return False # Generate a local key and certificate-signing request. local('openssl genrsa 4096 > /etc/pantheon/system.key') local('chmod 600 /etc/pantheon/system.key') local('openssl req -new -nodes -subj "%s" -key /etc/pantheon/system.key > /etc/pantheon/system.csr' % subject) # Have the PKI server sign the request. local('curl --silent -X POST -d"`cat /etc/pantheon/system.csr`" %s > /etc/pantheon/system.crt' % pki_server) # Combine the private key and signed certificate into a PEM file (for Apache and Pound). local('cat /etc/pantheon/system.crt /etc/pantheon/system.key > /etc/pantheon/system.pem') local('chmod 640 /etc/pantheon/system.pem') local('chgrp ssl-cert /etc/pantheon/system.pem') # Export cert in pkcs12 format local('openssl pkcs12 -export -password pass: -in /etc/pantheon/system.pem -out /etc/pantheon/system.p12') local('chmod 600 /etc/pantheon/system.p12') # Start pound, which has been waiting for system.pem local('/etc/init.d/pound start'); # Update client config to use unique identifier local('sed -i "s/^user = .*/user = %s/g" /etc/bcfg2.conf' % cn) # Update BCFG2's client configuration to use the zone (a.k.a. OU) from the certificate local('sed -i "s/^bcfg2 = .*/bcfg2 = https:\/\/config.%s:6789/g" /etc/bcfg2.conf' % ou) # Wait 20 seconds so print 'Waiting briefly so slight clock skew does not affect certificate verification.' time.sleep(20) verification = local('openssl verify -verbose /etc/pantheon/system.crt') print verification ygg.send_event('Authorization', 'Certificate issued. Verification result:\n' + verification)
def _report(): '''Phone home - helps us to know how many users there are without passing \ any identifying or personal information to us. ''' id = local('hostname -f | md5sum | sed "s/[^a-zA-Z0-9]//g"').rstrip('\n') local('curl "http://getpantheon.com/pantheon.php?id="' + id + '"&product=pantheon"') print('##############################') print('# Pantheon Setup Complete! #') print('##############################') local('echo "DEAR SYSADMIN: PANTHEON IS READY FOR YOU NOW. Do not forget the README.txt, CHANGELOG.txt and docs!" | wall') ygg.send_event('Platform configuration', 'The Pantheon platform is now running.')
def _report(): '''Phone home - helps us to know how many users there are without passing \ any identifying or personal information to us. ''' id = local('hostname -f | md5sum | sed "s/[^a-zA-Z0-9]//g"').rstrip('\n') local('curl "http://getpantheon.com/pantheon.php?id="' + id + '"&product=pantheon"') print('##############################') print('# Pantheon Setup Complete! #') print('##############################') local( 'echo "DEAR SYSADMIN: PANTHEON IS READY FOR YOU NOW. Do not forget the README.txt, CHANGELOG.txt and docs!" | wall' ) ygg.send_event('Platform configuration', 'The Pantheon platform is now running.')
def _test_for_previous_run(): if os.path.exists("/etc/pantheon/incep"): # If the server has a certificate, send an event. if os.path.exists("/etc/pantheon/system.pem"): ygg.send_event('Restart', 'This site\'s server was restarted, but it is already configured.') abort("Pantheon config has already run. Exiting.")