| 1 |
# |
|---|
| 2 |
# Make sure you set these constants properly! |
|---|
| 3 |
# |
|---|
| 4 |
|
|---|
| 5 |
# Set this to true if you are autosigning your certificates |
|---|
| 6 |
AUTOSIGN = false |
|---|
| 7 |
|
|---|
| 8 |
# Set this to the commands you need to run to stop your puppetmasterd |
|---|
| 9 |
PUPPETMASTERD_STOP = [ |
|---|
| 10 |
"/etc/init.d/puppetmasterd stop", |
|---|
| 11 |
"/etc/init.d/mongrel-puppetmasterd stop", |
|---|
| 12 |
] |
|---|
| 13 |
|
|---|
| 14 |
# Set this to the commands you need to start your puppetmasterd |
|---|
| 15 |
PUPPETMASTERD_START = [ |
|---|
| 16 |
"env SVWAIT=30 /etc/init.d/mongrel-puppetmasterd start", |
|---|
| 17 |
"env SVWAIT=30 /etc/init.d/puppetmasterd start", |
|---|
| 18 |
] |
|---|
| 19 |
|
|---|
| 20 |
# Set this to the commands you need to stop puppetd on the clients |
|---|
| 21 |
PUPPETD_STOP = [ "/etc/init.d/puppetd stop" ] |
|---|
| 22 |
|
|---|
| 23 |
# Set this to the commands you need to start puppetd on the clients |
|---|
| 24 |
PUPPETD_START = [ "/etc/init.d/puppetd start" ] |
|---|
| 25 |
|
|---|
| 26 |
# Set this to the location of your puppet SSL directories |
|---|
| 27 |
PUPPET_SSL_LOCATION = "/etc/puppet/ssl" |
|---|
| 28 |
|
|---|
| 29 |
# Set this to the URL of your iclassify server, if you have one |
|---|
| 30 |
ICLASSIFY_SERVER = "https://iclassify.sfo.trusera.com" |
|---|
| 31 |
|
|---|
| 32 |
has_iclassify = false |
|---|
| 33 |
begin |
|---|
| 34 |
require '/srv/icagent/lib/iclassify' |
|---|
| 35 |
has_iclassify = true |
|---|
| 36 |
rescue |
|---|
| 37 |
end |
|---|
| 38 |
|
|---|
| 39 |
default_run_options[:pty] = true |
|---|
| 40 |
|
|---|
| 41 |
if has_iclassify |
|---|
| 42 |
set(:query, ENV["QUERY"]) if ENV.has_key?("QUERY") |
|---|
| 43 |
set(:query) do |
|---|
| 44 |
Capistrano::CLI.ui.ask "iClassify Query: " |
|---|
| 45 |
end unless exists?(:query) |
|---|
| 46 |
|
|---|
| 47 |
set(:password, ENV["PASSWORD"]) if ENV.has_key?("PASSWORD") |
|---|
| 48 |
|
|---|
| 49 |
set(:ic_user, ENV["USER"]) unless exists?(:ic_user) |
|---|
| 50 |
if ENV.has_key?('IC_SERVER') |
|---|
| 51 |
set(:ic_server, ENV["IC_SERVER"]) |
|---|
| 52 |
else |
|---|
| 53 |
set(:ic_server, ICLASSIFY_SERVER) |
|---|
| 54 |
end |
|---|
| 55 |
|
|---|
| 56 |
ic = IClassify::Client.new(ic_server, ic_user, password) |
|---|
| 57 |
ic_nodes = ic.search(query, [ 'fqdn' ]) |
|---|
| 58 |
|
|---|
| 59 |
ic_nodes.each do |node| |
|---|
| 60 |
role :clients, node.attrib?('fqdn') |
|---|
| 61 |
end |
|---|
| 62 |
else |
|---|
| 63 |
set(:clients) do |
|---|
| 64 |
Capistrano::CLI.ui.ask "Comma Seperated list of Clients to clean: " |
|---|
| 65 |
end unless exists?(:clients) |
|---|
| 66 |
clients.split(",").each do |c| |
|---|
| 67 |
role :clients, c |
|---|
| 68 |
end |
|---|
| 69 |
end |
|---|
| 70 |
|
|---|
| 71 |
# State which system the Puppet Master is |
|---|
| 72 |
set(:master) do |
|---|
| 73 |
Capistrano::CLI.ui.ask "Puppet Master FQDN:" |
|---|
| 74 |
end unless exists?(:master) |
|---|
| 75 |
|
|---|
| 76 |
role :master, master |
|---|
| 77 |
|
|---|
| 78 |
default_run_options[:pty] = true |
|---|
| 79 |
|
|---|
| 80 |
task :stop_puppetmasterd, :roles => :master do |
|---|
| 81 |
run_command(PUPPETMASTERD_STOP) |
|---|
| 82 |
end |
|---|
| 83 |
|
|---|
| 84 |
task :start_puppetmasterd, :roles => :master do |
|---|
| 85 |
run_command(PUPPETMASTERD_START) |
|---|
| 86 |
end |
|---|
| 87 |
|
|---|
| 88 |
task :stop_puppetd do |
|---|
| 89 |
run_command(PUPPETD_STOP) |
|---|
| 90 |
end |
|---|
| 91 |
|
|---|
| 92 |
task :start_puppetd do |
|---|
| 93 |
run_command(PUPPETD_START) |
|---|
| 94 |
end |
|---|
| 95 |
|
|---|
| 96 |
task :rm_certs do |
|---|
| 97 |
sudo("rm -rf #{PUPPET_SSL_LOCATION}") |
|---|
| 98 |
end |
|---|
| 99 |
|
|---|
| 100 |
# Oh, what a dirty, dirty thing this is. |
|---|
| 101 |
# If you are running mongrel, though, your puppetmasterd will never re-generate your certs |
|---|
| 102 |
# So this is going to do the right thing for you |
|---|
| 103 |
# Please forgive me. |
|---|
| 104 |
task :generate_ca_cert, :roles => :master do |
|---|
| 105 |
sudo("puppetmasterd --daemonize") |
|---|
| 106 |
logger.info("Waiting 30 seconds for the Puppetmaster to start and generate CA") |
|---|
| 107 |
sleep 30 |
|---|
| 108 |
sudo("killall -9 puppetmasterd") |
|---|
| 109 |
end |
|---|
| 110 |
|
|---|
| 111 |
task :generate_certs, :roles => :clients do |
|---|
| 112 |
run(%{ruby -e 'i = rand(60); puts "Sleeping " + i.to_s; sleep i'}) |
|---|
| 113 |
sudo("sh -c 'puppetd --onetime --debug --ignorecache --no-daemonize --server #{master}; exit 0'") |
|---|
| 114 |
end |
|---|
| 115 |
|
|---|
| 116 |
task :sign_all, :roles => :master do |
|---|
| 117 |
sudo("puppetca --sign --all") if AUTOSIGN != true |
|---|
| 118 |
end |
|---|
| 119 |
|
|---|
| 120 |
task :rebuild_certs do |
|---|
| 121 |
logger.info("Stopping Puppetmasterd") |
|---|
| 122 |
stop_puppetmasterd |
|---|
| 123 |
logger.info("Stopping Puppetd") |
|---|
| 124 |
stop_puppetd |
|---|
| 125 |
logger.info("Removing Certificates") |
|---|
| 126 |
rm_certs |
|---|
| 127 |
logger.info("Regenerating CA Certificates") |
|---|
| 128 |
generate_ca_cert |
|---|
| 129 |
logger.info("Starting Puppetmasterd") |
|---|
| 130 |
start_puppetmasterd |
|---|
| 131 |
logger.info("Running puppetd to generate certificates") |
|---|
| 132 |
generate_certs |
|---|
| 133 |
logger.info("Signing all waiting requests") |
|---|
| 134 |
sign_all |
|---|
| 135 |
logger.info("Starting Puppetd") |
|---|
| 136 |
start_puppetd |
|---|
| 137 |
logger.info("Certificates regenerated!") |
|---|
| 138 |
end |
|---|
| 139 |
|
|---|
| 140 |
def run_command(const) |
|---|
| 141 |
const.each do |cmd| |
|---|
| 142 |
sudo(cmd) |
|---|
| 143 |
end |
|---|
| 144 |
end |
|---|
