diff --git a/puppet/zulip_ops/manifests/ksplice_uptrack.pp b/puppet/zulip_ops/manifests/ksplice_uptrack.pp new file mode 100644 index 0000000000..804b52805c --- /dev/null +++ b/puppet/zulip_ops/manifests/ksplice_uptrack.pp @@ -0,0 +1,27 @@ +class zulip_ops::ksplice_uptrack { + file { '/etc/uptrack': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0755', + } + $ksplice_access_key = zulipsecret('secrets','ksplice_access_key','') + file { '/etc/uptrack/uptrack.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template('zulip_ops/uptrack/uptrack.conf.erb'), + } + $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo-ksplice" + exec{ 'setup-apt-repo-ksplice': + command => $setup_apt_repo_file, + unless => "${setup_apt_repo_file} --verify", + } + Package { 'uptrack': + require => [ + Exec['setup-apt-repo-ksplice'], + File['/etc/uptrack/uptrack.conf'], + ], + } +} diff --git a/puppet/zulip_ops/manifests/profile/base.pp b/puppet/zulip_ops/manifests/profile/base.pp index 59e587fc04..6338860071 100644 --- a/puppet/zulip_ops/manifests/profile/base.pp +++ b/puppet/zulip_ops/manifests/profile/base.pp @@ -1,6 +1,7 @@ class zulip_ops::profile::base { include zulip::profile::base include zulip_ops::munin_node + include zulip_ops::ksplice_uptrack $org_base_packages = [# Management for our systems 'openssh-server', diff --git a/puppet/zulip_ops/templates/uptrack/uptrack.conf.erb b/puppet/zulip_ops/templates/uptrack/uptrack.conf.erb new file mode 100644 index 0000000000..e6669ef747 --- /dev/null +++ b/puppet/zulip_ops/templates/uptrack/uptrack.conf.erb @@ -0,0 +1,66 @@ +[Auth] +accesskey = <%= @ksplice_access_key %> + +[Network] +# Proxy to use when accessing the Uptrack server, of the form +# [protocol://][username:password@][:port], where +# * protocol is the protocol to connect to the proxy (http or https) +# * the username and password are the authentication +# information needed to use your proxy (if any). +# * host and port are the hostname/ip address and port number used to +# connect to the proxy +# +# The proxy must support making HTTPS connections. If this is unset, +# Uptrack will look for the https_proxy, HTTPS_PROXY, and http_proxy +# environment variables in that order, and then finally look for a +# proxy setting in the system-wide GConf database, if available and +# enabled below. +# +# You can also set this to "None" to force Uptrack not to use a proxy, +# even if one is set in the environment. +https_proxy = + +# Look for proxy setting in the system-wide GConf database, if it's +# not set in the above variable or in an environment variable. +# +# This is broken in later versions of Ubuntu (and other distros too) +# so we disable this by default. See LP: #812940. +gconf_proxy_lookup = no + +### Uptrack Local Server options ### + +# The path to the CA certificate file used to verify the Uptrack +# server. +#ssl_ca_cert_file = + +# The directory for CA certificate files used to verify the Uptrack +# server. +#ssl_ca_cert_dir = + +# The location of the Uptrack updates repository. +#update_repo_url= + +### End of Uptrack Local Server options ### + +[Settings] +# Automatically install updates at boot time. If this is set, on +# reboot into the same kernel, Uptrack will re-install the same set of +# updates that were present before the reboot. +install_on_reboot = yes + +# Automatically install all available updates at boot time, even if +# rebooted into a different kernel. +#upgrade_on_reboot = yes + +# Uptrack runs in a cron job every few hours to check for and download +# new updates. You can can configure this cron job to automatically +# install new updates as they become available. +# +# Enable this option to make the cron job automatically install new +# updates. +# +# Please note that enabling autoinstall does not mean the Uptrack +# client itself is automatically upgraded. You will be notified via +# e-mail when a new Uptrack client is available, and it can be +# upgraded through your package manager. +autoinstall = yes diff --git a/scripts/lib/setup-apt-repo-ksplice b/scripts/lib/setup-apt-repo-ksplice new file mode 100755 index 0000000000..d29ff6f272 --- /dev/null +++ b/scripts/lib/setup-apt-repo-ksplice @@ -0,0 +1,80 @@ +#!/usr/bin/env bash +set -x +set -e +set -u +set -o pipefail + +verify=false +args="$(getopt -o '' --long verify -- "$@")" +eval "set -- $args" +while true; do + case "$1" in + --verify) + verify=true + shift + ;; + --) + shift + break + ;; + esac +done + +# Ensure the directory for LAST_DEPENDENCIES_HASH exists +mkdir -p /var/lib/zulip + +SOURCES_FILE=/etc/apt/sources.list.d/ksplice.list +STAMP_FILE=/etc/apt/sources.list.d/ksplice.list.apt-update-in-progress + +ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")" +DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0") +DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state-ksplice" +# Ensure that DEPENDENCIES_HASH_FILE exists before hashing it. +touch "$DEPENDENCIES_HASH_FILE" +LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")" + +# First, we only do anything in setup-apt-repo if any of its inputs +# (apt keys, code, etc.) changed. +if [ "$DEPENDENCIES_HASH" = "$LAST_DEPENDENCIES_HASH" ]; then + exit 0 +elif [ "$verify" == true ]; then + exit 1 +fi + +# Ensure that the sources file exists +touch "$SOURCES_FILE" + +# Hash it to check if the sources file is changed by the script later. +zulip_source_hash=$(sha1sum "$SOURCES_FILE") + +pre_setup_deps=(lsb-release apt-transport-https ca-certificates gnupg wget) +if ! apt-get -dy install "${pre_setup_deps[@]}"; then + apt-get update +fi +apt-get -y install "${pre_setup_deps[@]}" + +SCRIPTS_PATH="$(cd "$(dirname "$(dirname "$0")")" && pwd)" + +release=$(lsb_release -sc) +if [[ "$release" =~ ^(buster|bionic|cosmic|disco|eoan|focal|groovy)$ ]]; then + apt-key add "$SCRIPTS_PATH"/setup/ksplice.asc + cat >$SOURCES_FILE <"$DEPENDENCIES_HASH_FILE" diff --git a/scripts/setup/ksplice.asc b/scripts/setup/ksplice.asc new file mode 100644 index 0000000000..c58f186c2f --- /dev/null +++ b/scripts/setup/ksplice.asc @@ -0,0 +1,65 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBEoTaW8BCADXQtpKT5gzOC+/Me50Z07GHfZqkjAThrY+XGhKenklDrZA8nXe +FDcmlmMvfeSViP5UH+X7tzjUFT2FcUh65+Onggi/J9nFIDweQXxpzDYyWCK+B0RX +InKsq3TfEs5G0yIfYuKi/pgLYkFBls0stWC+1BS+3Lx4uDRTb/44D4LgzHKoAfy1 +Soho8nDDL1pWEpQAq/5yVSgRc1Vvs1s+CmR8zE5gVi3cfGS0kigdfZJVEdAY/w99 +t3abgYo1Eq3+Vc1bb+5DiEQZlZsWxWglQlvSyx60U2oxr05Ki+3ZyBomfFCTfL2m +fzzJ8cyglzNhFKhyFQIHqzoPR+Sxl8ppcnEJABEBAAG0NktzcGxpY2UgQVBUIFJl +cG9zaXRvcnkgU2lnbmluZyBLZXkgPGRldmVsQGtzcGxpY2UuY29tPokBNgQTAQgA +IAUCShNpbwIbAwULCQgHAwQVCgkIBRYCAwEAAh4BAheAAAoJEPfKYmW21AOO/pUH +/jKDtB3iRU2B4jii71CSFyFaz3BvJvgRMmIf53L85h3sUvqeVJiy8MoreWeoxst9 +uJBnp8W61QwolCbU6awqdZ2ywRi7JyYNopaEKptxJ3EgBYm+Dq0S7srQK0qCMdRX +k7OrhCoJEmev7SazhpdIkMWPtRyksgktBMlwQ5/PyLyW+mP3a8ujYDjMIqzScyDV +YBTKK8HtXaLb6Y2Fu4jinAm4YLP3XfnAyNE1Xi9fkzTBWgC4AZ4wctQWxViu6Q91 +HBB1xBjQYD6aCrPLB8/EtYO6n9UoIov6We8qwDDq7oufEKt8/uLXsomEbaWgOqAv +wZzpU6ZHueA8JEmNQYzf6pWZAg0EXKv2DQEQANWkHff3Mp7btrQsBCfiNYNh9fi2 +0KBhtfWyDI4pyU7ZkzF0sgXZPPUquYuKbRqbqW1NghWk/SFUewfWLLsxpWDUr+9p +ghLx2MvdKuaNfvQ/dAoiu7kevyIY4q9fiMwdtRmaCFnJVF2+XZA1z2iH6X6LcLPI +KEWU1Xd0aWaxoFFPqjkRy+dlDxxV2xsWdEBikIM7rnA4K6NY1V7YXl4DrHLiZB9U +4K4XuNjWxvjNFqdNUTSFnLKKDo55NmO62OvtX6QOtPkrc91efaQ+xVZwR0kk61r6 +Gon3CcDVqJMk02m9E/p8m2+LDymgmokgPtVQ9N8anfyTqw997gGaoR9FJRs1Pkko +IW+Wnhjf2kfOYp9f7yON5nZeAHH9ngaxbqr+0A6SxnyccH9cg9mSvpX61ddk/gPm +l40hYvGHNrnzkUOIaLx3Vngogyl6omFS7bi+t72uZifbA4U/oZhl+LUo4wiYCNAL +XcGS2kCVKoM3MJB6mg1++gaI7y/Sw7yYfLXp+mn6GTtPiG95JyhhggFpMxx1MSW8 ++MDmaBdNoEX+q20XUuUV/nU+82QpBWgJHtX36m5kaxZ6r0q/4ZpRgLe4qj3owoI7 +gbfi5K725ijh5nfKvsayVIzqsHQWLjJ8NP1H2ZLxgem4IqGBDkhQGXrHvaHWzTb6 +ZqF54fQJkxtX/uETABEBAAG0RE9yYWNsZSBPU1MgZ3JvdXAgKE9wZW4gU291cmNl +IFNvZnR3YXJlIGdyb3VwKSA8YnVpbGRAb3NzLm9yYWNsZS5jb20+iQI+BBMBAgAo +BQJcq/YNAhsDBQklmAYABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCCVi6p +rZhto3nfD/4vHhyoqJ+yURoGlbPjKodwC27PbmwJbjBsfhXnoR8pkCH5ZD8nA8XJ +tLLCpvOAhSsiXODwIy5ScozkESVSQo8Ngj4KO9S0/QH14VOGqOntY2XLQhBfyoLq +n+BMsNe4RsouP4R8u8qKGpwva0khpBaJABp+0bkMUchqdmlWvzx5cnAAwKV7+bb3 +HsriDRz3n29l0UXuKCAhweVMncZYZsvNFeLR9dVNAkCW1HkbH4WdGdKYCmUvqPVQ +bVyB6xmt8lls2yXT7kSrigdQ3exOBqpNhoxZHuMfocUX7l3Tmd2mW0tdsbohrVzV +nh76FrZ6EGdx4HFIK3lVPnO2a8kKbhBPj5LwAqx1AunHddZNazkHjUNjLfJAdpDP +5KjjZgS28YJ6Y+wJ+SJ3xk0SW2X0ozSIdglsV6G/ZyRl7hFU0QNWC6uWcQQogK+F +/BLhvPYhBk9JhAsYuZRjCmmR/ZWOQOFNBQynWKoteyiUKMN9NxmuVRoARc/sDXC4 +sGUAQcT/Jk5lupyATgBkqRWclia7aWtKQ2GKww5WxWEPILIUTDX58P5Ge9H240c6 +qB5NX/qQ7Ia76cLx2fArKrTAsnO77wQ116Zy+V32nDHcU9ZMZDgYY0ncxV3B/Cdi +SDm8oYNI6Y8O4SefGRo8mtMkgdIld+NKD8zQ+IsZdw4ykZU15ulJArkCDQRcq/YN +ARAAodmaW82j7/5qZiH06CeXNJRy2osQ2R7ybtDsddRqQRmBN9FTRqf71OZ+hQLI +dLXWrcDSX4WgH8UFPjkHLFR1/znShB3Q8Cmqjk3E2lAKpiA4I6lMdPRKdGH2BAIM +aDN9hJmXwwT6LMRTlY6NDnWD/ZqM4NcYhYc/BgTyVnIXu0TtsU0TC97uwitB58BH +R4BLPw8wV1DlRL+9hlD6N4tTZ1mp+XYHsCc/sy5elrfUySEHeVph0f69ZpAs9uT9 +uHty8q2QNsMdjXc1LadOlbJ+N5QIWkMe6nMw2RyVzQh/jhYoDVrSw7t3qYFbJUzQ +iCsLGJ5cn8RlUWSFcS6Vwa74vSIeGRH00Dp1Fe8L/AmewIBKPPEWrLOWFN81HVDB +Z1kmkLwiX2gfdVytPhO0S8kPG5dMyp4xI581Kx2pqIT27q2BsLXeoFO9uygGD1Gz +aFjadGpSE2G8yhFu3VTWpfCGf/2DV/7WLca8QPqPYC5YydT3N6FHfaK4ZCXjySjj +bxtEQ/PTwBj76/f+fhT9xuygnMC8KDX5ZhB7bq/SYgki7M6Z4VGZdxpMdRm/Jjpq +pK9B46ejSHVyNFkA31PpnyqVhvCHzKEY2V/JtA+aV3+h6IM1WvjexKXpbTZM4sVn +fqHZ4am3YspRXP7MVDCsB0W7pSj/WWAZEZvMF7M2BQKRAIsAEQEAAYkCJQQYAQIA +DwUCXKv2DQIbDAUJJZgGAAAKCRCCVi6prZhto7gSD/9ZESN0eiy9Ms9uMPCa0fRH +dPCKz96oc9Krnsj2MNI69ENaS/j8KJ0G7X4WxMOkiefjCIAgT14xv8vz0JzZjkvL +MeXM5EkwSDMSpyMh7CpFwTK8xvJOfHgZziEqIyFFwwtZC5anr8lPT34Heg/NAtce ++4C4q7RmMUmXXqht2gvu0BMA4+2qbGTC3bYbWUGQZRUI6IS7CDX70CCIyEMe3oaD +zAeMqhCIe/il4YMrFyV19MVMAfTe/H7abBPrVr9GMTViofOaWqZNrz1IM0NK2sbZ +WKRIHRh0O6pLMHoUxxRGS0nDDKE4oSMnhzbTBkbnFB+Il85yKPZBg9bm9i1A0Kcp ++ymwXsEI/8Zd1gBODJqMLGnimQ2wBmVHIdTHXM8xHUTX6x76XmzXzLRX5v7VgESY +CZwQwv1F6/5FvJ35heYn4/2sNOGS89fFX7gdmCXSZe9N3UJRSc2d3jRlLMWjyFOa +v/6PZPuJHfBzGejK/93ww5Sq5iwoMt0Gv2eD4K9t//yU0knp1sJABwRe9GfwUqOr +6I/6Ec9dc6H8Wsy8EmtsPdXoXrl7K/Isw3vgJrF3YHau7TXIs0YBFmvyI4fdx23h +vILSVIDnXI14+ih7od+AIQCwUS+i+KWvuQVuykMas/j3CHR6+1EM+ap+MwuKJpHE +5d586NuHxeqt80YNMJDN0Q== +=Y2MU +-----END PGP PUBLIC KEY BLOCK-----