puppet: Add ksplice uptrack for kernel hotpatches.

puppet/zulip_ops/manifests/ksplice_uptrack.pp

@@ -0,0 +1,27 @@
+class zulip_ops::ksplice_uptrack {
+  file { '/etc/uptrack':
+    ensure => 'directory',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+  $ksplice_access_key = zulipsecret('secrets','ksplice_access_key','')
+  file { '/etc/uptrack/uptrack.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('zulip_ops/uptrack/uptrack.conf.erb'),
+  }
+  $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo-ksplice"
+  exec{ 'setup-apt-repo-ksplice':
+    command => $setup_apt_repo_file,
+    unless  => "${setup_apt_repo_file} --verify",
+  }
+  Package { 'uptrack':
+    require => [
+      Exec['setup-apt-repo-ksplice'],
+      File['/etc/uptrack/uptrack.conf'],
+    ],
+  }
+}

puppet/zulip_ops/manifests/profile/base.pp

@@ -1,6 +1,7 @@
 class zulip_ops::profile::base {
   include zulip::profile::base
   include zulip_ops::munin_node
+  include zulip_ops::ksplice_uptrack
 
   $org_base_packages = [# Management for our systems
     'openssh-server',

puppet/zulip_ops/templates/uptrack/uptrack.conf.erb

@@ -0,0 +1,66 @@
+[Auth]
+accesskey = <%= @ksplice_access_key %>
+
+[Network]
+# Proxy to use when accessing the Uptrack server, of the form
+# [protocol://][username:password@]<host>[:port], where
+# * protocol is the protocol to connect to the proxy (http or https)
+# * the username and password are the authentication
+#   information needed to use your proxy (if any).
+# * host and port are the hostname/ip address and port number used to
+#   connect to the proxy
+#
+# The proxy must support making HTTPS connections. If this is unset,
+# Uptrack will look for the https_proxy, HTTPS_PROXY, and http_proxy
+# environment variables in that order, and then finally look for a
+# proxy setting in the system-wide GConf database, if available and
+# enabled below.
+#
+# You can also set this to "None" to force Uptrack not to use a proxy,
+# even if one is set in the environment.
+https_proxy =
+
+# Look for proxy setting in the system-wide GConf database, if it's
+# not set in the above variable or in an environment variable.
+#
+# This is broken in later versions of Ubuntu (and other distros too)
+# so we disable this by default. See LP: #812940.
+gconf_proxy_lookup = no
+
+### Uptrack Local Server options ###
+
+# The path to the CA certificate file used to verify the Uptrack
+# server.
+#ssl_ca_cert_file =
+
+# The directory for CA certificate files used to verify the Uptrack
+# server.
+#ssl_ca_cert_dir =
+
+# The location of the Uptrack updates repository.
+#update_repo_url=
+
+### End of Uptrack Local Server options ###
+
+[Settings]
+# Automatically install updates at boot time. If this is set, on
+# reboot into the same kernel, Uptrack will re-install the same set of
+# updates that were present before the reboot.
+install_on_reboot = yes
+
+# Automatically install all available updates at boot time, even if
+# rebooted into a different kernel.
+#upgrade_on_reboot = yes
+
+# Uptrack runs in a cron job every few hours to check for and download
+# new updates. You can can configure this cron job to automatically
+# install new updates as they become available.
+#
+# Enable this option to make the cron job automatically install new
+# updates.
+#
+# Please note that enabling autoinstall does not mean the Uptrack
+# client itself is automatically upgraded. You will be notified via
+# e-mail when a new Uptrack client is available, and it can be
+# upgraded through your package manager.
+autoinstall = yes

scripts/lib/setup-apt-repo-ksplice

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+set -x
+set -e
+set -u
+set -o pipefail
+
+verify=false
+args="$(getopt -o '' --long verify -- "$@")"
+eval "set -- $args"
+while true; do
+    case "$1" in
+        --verify)
+            verify=true
+            shift
+            ;;
+        --)
+            shift
+            break
+            ;;
+    esac
+done
+
+# Ensure the directory for LAST_DEPENDENCIES_HASH exists
+mkdir -p /var/lib/zulip
+
+SOURCES_FILE=/etc/apt/sources.list.d/ksplice.list
+STAMP_FILE=/etc/apt/sources.list.d/ksplice.list.apt-update-in-progress
+
+ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")"
+DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0")
+DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state-ksplice"
+# Ensure that DEPENDENCIES_HASH_FILE exists before hashing it.
+touch "$DEPENDENCIES_HASH_FILE"
+LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")"
+
+# First, we only do anything in setup-apt-repo if any of its inputs
+# (apt keys, code, etc.)  changed.
+if [ "$DEPENDENCIES_HASH" = "$LAST_DEPENDENCIES_HASH" ]; then
+    exit 0
+elif [ "$verify" == true ]; then
+    exit 1
+fi
+
+# Ensure that the sources file exists
+touch "$SOURCES_FILE"
+
+# Hash it to check if the sources file is changed by the script later.
+zulip_source_hash=$(sha1sum "$SOURCES_FILE")
+
+pre_setup_deps=(lsb-release apt-transport-https ca-certificates gnupg wget)
+if ! apt-get -dy install "${pre_setup_deps[@]}"; then
+    apt-get update
+fi
+apt-get -y install "${pre_setup_deps[@]}"
+
+SCRIPTS_PATH="$(cd "$(dirname "$(dirname "$0")")" && pwd)"
+
+release=$(lsb_release -sc)
+if [[ "$release" =~ ^(buster|bionic|cosmic|disco|eoan|focal|groovy)$ ]]; then
+    apt-key add "$SCRIPTS_PATH"/setup/ksplice.asc
+    cat >$SOURCES_FILE <<EOF
+deb http://www.ksplice.com/apt $release ksplice
+deb-src http://www.ksplice.com/apt $release ksplice
+EOF
+else
+    echo "Unsupported release $release."
+    exit 1
+fi
+
+if [ "$zulip_source_hash" = "$(sha1sum "$SOURCES_FILE")" ] && ! [ -e "$STAMP_FILE" ]; then
+    echo "zulip.list file did not change; skipping apt-get update"
+else
+    # We create this stamp file to ensure `apt-get update` will be run
+    # the next time this script is invoked, and each time after, until
+    # `apt-get update` finishes successfully.
+    touch "$STAMP_FILE"
+    apt-get update && rm -f "$STAMP_FILE"
+fi
+
+echo "$DEPENDENCIES_HASH" >"$DEPENDENCIES_HASH_FILE"

scripts/setup/ksplice.asc

@@ -0,0 +1,65 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBEoTaW8BCADXQtpKT5gzOC+/Me50Z07GHfZqkjAThrY+XGhKenklDrZA8nXe
+FDcmlmMvfeSViP5UH+X7tzjUFT2FcUh65+Onggi/J9nFIDweQXxpzDYyWCK+B0RX
+InKsq3TfEs5G0yIfYuKi/pgLYkFBls0stWC+1BS+3Lx4uDRTb/44D4LgzHKoAfy1
+Soho8nDDL1pWEpQAq/5yVSgRc1Vvs1s+CmR8zE5gVi3cfGS0kigdfZJVEdAY/w99
+t3abgYo1Eq3+Vc1bb+5DiEQZlZsWxWglQlvSyx60U2oxr05Ki+3ZyBomfFCTfL2m
+fzzJ8cyglzNhFKhyFQIHqzoPR+Sxl8ppcnEJABEBAAG0NktzcGxpY2UgQVBUIFJl
+cG9zaXRvcnkgU2lnbmluZyBLZXkgPGRldmVsQGtzcGxpY2UuY29tPokBNgQTAQgA
+IAUCShNpbwIbAwULCQgHAwQVCgkIBRYCAwEAAh4BAheAAAoJEPfKYmW21AOO/pUH
+/jKDtB3iRU2B4jii71CSFyFaz3BvJvgRMmIf53L85h3sUvqeVJiy8MoreWeoxst9
+uJBnp8W61QwolCbU6awqdZ2ywRi7JyYNopaEKptxJ3EgBYm+Dq0S7srQK0qCMdRX
+k7OrhCoJEmev7SazhpdIkMWPtRyksgktBMlwQ5/PyLyW+mP3a8ujYDjMIqzScyDV
+YBTKK8HtXaLb6Y2Fu4jinAm4YLP3XfnAyNE1Xi9fkzTBWgC4AZ4wctQWxViu6Q91
+HBB1xBjQYD6aCrPLB8/EtYO6n9UoIov6We8qwDDq7oufEKt8/uLXsomEbaWgOqAv
+wZzpU6ZHueA8JEmNQYzf6pWZAg0EXKv2DQEQANWkHff3Mp7btrQsBCfiNYNh9fi2
+0KBhtfWyDI4pyU7ZkzF0sgXZPPUquYuKbRqbqW1NghWk/SFUewfWLLsxpWDUr+9p
+ghLx2MvdKuaNfvQ/dAoiu7kevyIY4q9fiMwdtRmaCFnJVF2+XZA1z2iH6X6LcLPI
+KEWU1Xd0aWaxoFFPqjkRy+dlDxxV2xsWdEBikIM7rnA4K6NY1V7YXl4DrHLiZB9U
+4K4XuNjWxvjNFqdNUTSFnLKKDo55NmO62OvtX6QOtPkrc91efaQ+xVZwR0kk61r6
+Gon3CcDVqJMk02m9E/p8m2+LDymgmokgPtVQ9N8anfyTqw997gGaoR9FJRs1Pkko
+IW+Wnhjf2kfOYp9f7yON5nZeAHH9ngaxbqr+0A6SxnyccH9cg9mSvpX61ddk/gPm
+l40hYvGHNrnzkUOIaLx3Vngogyl6omFS7bi+t72uZifbA4U/oZhl+LUo4wiYCNAL
+XcGS2kCVKoM3MJB6mg1++gaI7y/Sw7yYfLXp+mn6GTtPiG95JyhhggFpMxx1MSW8
++MDmaBdNoEX+q20XUuUV/nU+82QpBWgJHtX36m5kaxZ6r0q/4ZpRgLe4qj3owoI7
+gbfi5K725ijh5nfKvsayVIzqsHQWLjJ8NP1H2ZLxgem4IqGBDkhQGXrHvaHWzTb6
+ZqF54fQJkxtX/uETABEBAAG0RE9yYWNsZSBPU1MgZ3JvdXAgKE9wZW4gU291cmNl
+IFNvZnR3YXJlIGdyb3VwKSA8YnVpbGRAb3NzLm9yYWNsZS5jb20+iQI+BBMBAgAo
+BQJcq/YNAhsDBQklmAYABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCCVi6p
+rZhto3nfD/4vHhyoqJ+yURoGlbPjKodwC27PbmwJbjBsfhXnoR8pkCH5ZD8nA8XJ
+tLLCpvOAhSsiXODwIy5ScozkESVSQo8Ngj4KO9S0/QH14VOGqOntY2XLQhBfyoLq
+n+BMsNe4RsouP4R8u8qKGpwva0khpBaJABp+0bkMUchqdmlWvzx5cnAAwKV7+bb3
+HsriDRz3n29l0UXuKCAhweVMncZYZsvNFeLR9dVNAkCW1HkbH4WdGdKYCmUvqPVQ
+bVyB6xmt8lls2yXT7kSrigdQ3exOBqpNhoxZHuMfocUX7l3Tmd2mW0tdsbohrVzV
+nh76FrZ6EGdx4HFIK3lVPnO2a8kKbhBPj5LwAqx1AunHddZNazkHjUNjLfJAdpDP
+5KjjZgS28YJ6Y+wJ+SJ3xk0SW2X0ozSIdglsV6G/ZyRl7hFU0QNWC6uWcQQogK+F
+/BLhvPYhBk9JhAsYuZRjCmmR/ZWOQOFNBQynWKoteyiUKMN9NxmuVRoARc/sDXC4
+sGUAQcT/Jk5lupyATgBkqRWclia7aWtKQ2GKww5WxWEPILIUTDX58P5Ge9H240c6
+qB5NX/qQ7Ia76cLx2fArKrTAsnO77wQ116Zy+V32nDHcU9ZMZDgYY0ncxV3B/Cdi
+SDm8oYNI6Y8O4SefGRo8mtMkgdIld+NKD8zQ+IsZdw4ykZU15ulJArkCDQRcq/YN
+ARAAodmaW82j7/5qZiH06CeXNJRy2osQ2R7ybtDsddRqQRmBN9FTRqf71OZ+hQLI
+dLXWrcDSX4WgH8UFPjkHLFR1/znShB3Q8Cmqjk3E2lAKpiA4I6lMdPRKdGH2BAIM
+aDN9hJmXwwT6LMRTlY6NDnWD/ZqM4NcYhYc/BgTyVnIXu0TtsU0TC97uwitB58BH
+R4BLPw8wV1DlRL+9hlD6N4tTZ1mp+XYHsCc/sy5elrfUySEHeVph0f69ZpAs9uT9
+uHty8q2QNsMdjXc1LadOlbJ+N5QIWkMe6nMw2RyVzQh/jhYoDVrSw7t3qYFbJUzQ
+iCsLGJ5cn8RlUWSFcS6Vwa74vSIeGRH00Dp1Fe8L/AmewIBKPPEWrLOWFN81HVDB
+Z1kmkLwiX2gfdVytPhO0S8kPG5dMyp4xI581Kx2pqIT27q2BsLXeoFO9uygGD1Gz
+aFjadGpSE2G8yhFu3VTWpfCGf/2DV/7WLca8QPqPYC5YydT3N6FHfaK4ZCXjySjj
+bxtEQ/PTwBj76/f+fhT9xuygnMC8KDX5ZhB7bq/SYgki7M6Z4VGZdxpMdRm/Jjpq
+pK9B46ejSHVyNFkA31PpnyqVhvCHzKEY2V/JtA+aV3+h6IM1WvjexKXpbTZM4sVn
+fqHZ4am3YspRXP7MVDCsB0W7pSj/WWAZEZvMF7M2BQKRAIsAEQEAAYkCJQQYAQIA
+DwUCXKv2DQIbDAUJJZgGAAAKCRCCVi6prZhto7gSD/9ZESN0eiy9Ms9uMPCa0fRH
+dPCKz96oc9Krnsj2MNI69ENaS/j8KJ0G7X4WxMOkiefjCIAgT14xv8vz0JzZjkvL
+MeXM5EkwSDMSpyMh7CpFwTK8xvJOfHgZziEqIyFFwwtZC5anr8lPT34Heg/NAtce
++4C4q7RmMUmXXqht2gvu0BMA4+2qbGTC3bYbWUGQZRUI6IS7CDX70CCIyEMe3oaD
+zAeMqhCIe/il4YMrFyV19MVMAfTe/H7abBPrVr9GMTViofOaWqZNrz1IM0NK2sbZ
+WKRIHRh0O6pLMHoUxxRGS0nDDKE4oSMnhzbTBkbnFB+Il85yKPZBg9bm9i1A0Kcp
++ymwXsEI/8Zd1gBODJqMLGnimQ2wBmVHIdTHXM8xHUTX6x76XmzXzLRX5v7VgESY
+CZwQwv1F6/5FvJ35heYn4/2sNOGS89fFX7gdmCXSZe9N3UJRSc2d3jRlLMWjyFOa
+v/6PZPuJHfBzGejK/93ww5Sq5iwoMt0Gv2eD4K9t//yU0knp1sJABwRe9GfwUqOr
+6I/6Ec9dc6H8Wsy8EmtsPdXoXrl7K/Isw3vgJrF3YHau7TXIs0YBFmvyI4fdx23h
+vILSVIDnXI14+ih7od+AIQCwUS+i+KWvuQVuykMas/j3CHR6+1EM+ap+MwuKJpHE
+5d586NuHxeqt80YNMJDN0Q==
+=Y2MU
+-----END PGP PUBLIC KEY BLOCK-----