epost-dev / opennebula-puppet-module Goto Github PK
View Code? Open in Web Editor NEWThe one module allows to install and manage your OpenNebula cloud
License: Apache License 2.0
The one module allows to install and manage your OpenNebula cloud
License: Apache License 2.0
ONE Types do not autorequire other one types.
We need discussion whether we want autorequire.
e.g.
Cluster needs Datastore, VNet and Hosts.
Images need their datastore
Templates need images
VM needs templates.
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). I think this is a smell, and I was wondering why HTTP is used? Is it because of lack of tool support? I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol.
Any feedback is appreciated.
Source: https://github.com/epost-dev/opennebula-puppet-module/blob/master/manifests/params.pp (line#142)
When automated like this (names and addresses changed for data privacy's sake):
[admin@server1 ~]$ crontab -l
...
# Puppet Name: one_db_backup
0 * * * * /var/lib/one/bin/one_db_backup.sh
and writing to an nfs share like this:
[root@server1 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootdg-LogVol00
3.9G 1.3G 2.4G 36% /
tmpfs 1.9G 0 1.9G 0% /dev/shm
/dev/mapper/rootdg-LogVol08
976M 1.3M 924M 1% /admin
/dev/mapper/rootdg-LogVol07
120M 1.6M 113M 2% /audit
/dev/vda1 283M 148M 120M 56% /boot
/dev/mapper/rootdg-LogVol04
969M 1.7M 917M 1% /home
/dev/mapper/rootdg-LogVol03
1.9G 25M 1.8G 2% /opt
/dev/mapper/rootdg-LogVol05
2.0G 30M 1.8G 2% /tmp
/dev/mapper/rootdg-LogVol02
2.0G 500M 1.4G 27% /var
/dev/mapper/rootdg-LogVol06
2.0G 3.0M 1.9G 1% /var/cores
/dev/mapper/rootdg-LogVol01
2.0G 285M 1.6G 16% /var/log
192.168.20.21:/server1_inf_backup
100G 474M 100G 1% /var/lib/one/nfs_backup
192.168.20.21:/server1_inf_datastore_0
200G 94G 107G 47% /var/lib/one/datastores/0
192.168.20.21:/server1_inf_datastore_1
500G 415G 86G 83% /var/lib/one/datastores/1
192.168.20.21:/server1_inf_datastore_2
1014M 4.3M 1010M 1% /var/lib/one/datastores/2
the backup script produces errors like this:
From [email protected] Fri Dec 22 12:00:03 2017
Return-Path: <[email protected]>
X-Original-To: admin
Delivered-To: [email protected]
Received: by server1.inf.ourdomain.de (Postfix, from userid 9869)
id 03EC71625; Fri, 22 Dec 2017 12:00:03 +0100 (CET)
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <admin@server11> /var/lib/one/bin/one_db_backup.sh
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <LC_ALL=en_US.utf-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/lib/one>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=admin>
X-Cron-Env: <USER=admin>
Message-Id: <[email protected]>
Date: Fri, 22 Dec 2017 12:00:03 +0100 (CET)
find: `/var/lib/one/nfs_backup/.nfs': Permission denied
The reason for this is that the script does not limit its file selection to the backup directory but descends into any subdirectories below. The .nfs subdirectory belongs to root, however, and has restrictive permissions (as it should):
[root@serverd1 nfs_backup]# ls -la .nfs
total 36
drwxrwx--- 4 root root 41 Dec 18 09:20 .
drwxr-xr-x 3 admin admin 28672 Jan 3 09:00 ..
drwx------ 2 root root 6 Nov 1 10:50 rmt
-rw-r--r-- 1 root root 97 Dec 18 09:24 rmtab
drwxrwx--- 4 root root 40 Oct 26 20:00 .sm.ha
[root@server1 nfs_backup]#
A simple fix would be to restrict the find operation to the backup dir itself.
Opennebula 5 was released on Jun, 15th 2016. Could we get compatibility for it?
KVM UDP-push is activated by default. This should be configurable via a parameter.
Hi, using one 4.10 on CentOS 7 (a simple PR coming your way to support yum repos / changed packages), I'm trying to define a simple network:
onevnet { 'tenlocal':
ensure => present,
bridge => 'br0',
addressrange => {
'macstart' => '02:00:16:90:01:01',
'size' => '200',
'type' => 'ETHER',
}
}
However I'm getting this error from Puppet 3.7.4:
Error: Invalid parameter network_start(:network_start)
Error: /Stage[main]/Roles::Default/Onevnet[tenlocal]/ensure: change from absent to present failed: Invalid parameter network_start(:network_start)
I don't understand this error since I didn't define network_start
- I have an external DHCP server and am using the dummy
virtual net driver to just bridge VMs with the rest of my network. This is working well on a manually-configured installation, and I would like to Puppetise the setup.
Cheers,
Gavin.
There is only a small subset of spec tests available.
We need far more (and better) rspec tests for types and providers.
Handling the sudo rules in this module may conflict with whatever people using this module use to handle sudo on their end. We should make sudo rule handling optional, though the default should be to keep current behavior.
This sort of references #205
The documentation should mention that puppetlabs-stdlib is needed. If the module is not present puppet fails with
Error: Unknown function validate_string at /root/modules/one/manifests/params.pp:163 on node centos6
The recent change to kvm driver config isn't working properly. When both the kvm emulator and nic settings are specified it doesn't idempotently make the updates and instead constantly appends to the file every time puppet runs. Even worse it's appending the wrong output (ie []
on a line by itself) which causes a syntax error:
[]
NIC = [ filter = "clean-traffic", model="virtio" ]
[]
EMULATOR = /usr/libexec/qemu-kvm
[]
NIC = [ filter = "clean-traffic", model="virtio" ]
[]
EMULATOR = /usr/libexec/qemu-kvm
[]
NIC = [ filter = "clean-traffic", model="virtio" ]
[]
EMULATOR = /usr/libexec/qemu-kvm
[]
NIC = [ filter = "clean-traffic", model="virtio" ]
[]
EMULATOR = /usr/libexec/qemu-kvm
Error in logs:
Thu Sep 10 11:23:43 2015 [Z0][VMM][I]: Loading driver: kvm (KVM)
Thu Sep 10 11:23:43 2015 [Z0][VMM][E]: Error loading driver configuration file /etc/one/vmm_exec/vmm_exec_kvm.conf : syntax error, unexpected CBRACKET, expecting $end at line 60, columns 2797:2799
The onedatastore resource type ignores the basepath parameter when creating the datastore. The datastore will be created with a default path. When running puppet a second time puppet tries to change the basepath which fails as the provider doesn't support that action.
How to reproduce:
[root@centos6 ~]# mkdir modules
[root@centos6 ~]# git clone https://github.com/epost-dev/opennebula-puppet-module.git modules/one
....
[root@centos6 ~]# git clone https://github.com/puppetlabs/puppetlabs-stdlib.git modules/stdlib
....
node 'default' {
class { one:
oned => true,
}
onedatastore { 'beispiel':
ensure => present,
type => 'IMAGE_DS',
dm => 'fs',
tm => 'ssh',
basepath => '/srv/beispiel',
}
}
[root@centos6 ~]# puppet apply --modulepath=modules site.pp
...
[root@centos6 ~]# onedatastore list
ID NAME SIZE AVAIL CLUSTER IMAGES TYPE DS TM STAT
0 system 0M - - 0 sys - shared on
1 default 29.4G 89% - 0 img fs shared on
2 files 29.4G 89% - 0 fil fs ssh on
100 beispiel 29.4G 89% - 0 img fs ssh on
[root@centos6 ~]# onedatastore list -x | grep BASE
<BASE_PATH><![CDATA[/var/lib/one//datastores/0]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/1]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/2]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/100]]></BASE_PATH>
<BASE_PATH><![CDATA[/var/lib/one//datastores/]]></BASE_PATH>
[root@centos6 ~]#
[root@centos6 ~]# puppet apply --modulepath=modules/ site.pp
Notice: Compiled catalog for centos6 in environment production in 2.73 seconds
Error: Can not modify basepath. You need to delete and recreate the datastore
Error: /Stage[main]/Main/Node[default]/Onedatastore[beispiel]/basepath: change from /var/lib/one//datastores/ to /srv/beispiel failed: Can not modify basepath. You need to delete and recreate the datastore
Notice: Finished catalog run in 5.95 seconds
[root@centos6 ~]#
this one could be used https://github.com/example42/puppet-sudo
seems like a new rake version is to blame. See https://travis-ci.org/epost-dev/opennebula-puppet-module/builds/173844223
see #259 (comment)
The oneimage provider also takes care on context files.
Changes within the puppet reference files do not lead to updated context files.
Given Puppet 3.7.4, CentOS 7 and hiera config:
oneimages:
test-image:
datastore: cephstore
type: datablock
persistent: true
dev_prefix: vd
driver: raw
disk_type: RBD
size: 4096
fstype: raw
and this fragment in a Puppet manifest:
create_resources(oneimage, hiera_hash(oneimages))
I get the following segment of output:
Debug: Prefetching cli resources for oneimage
Debug: Executing '/usr/bin/oneimage list -x'
Error: Could not set 'present' on ensure: undefined method `to_s_upcase' for :DATABLOCK:Symbol
Error: Could not set 'present' on ensure: undefined method `to_s_upcase' for :DATABLOCK:Symbol
Wrapped exception:
undefined method `to_s_upcase' for :DATABLOCK:Symbol
Error: /Stage[main]/Roles::Onevm/Oneimage[test-image]/ensure: change from absent to present failed: Could not set 'present' on ensure: undefined method `to_s_upcase' for :DATABLOCK:Symbol
All of my current disks are DATABLOCK <TYPE>2</TYPE>
, and I did try to add a mapping 2 => DATABLOCK at line 100 of lib/puppet/provider/oneimage/cli.rb
but it made no difference - I don't understand enough Ruby to see the logic of what's being attempted :/
Cheers,
Gavin.
ATM there are many explicit hiera calls.
I want to allow users to decide by themselves by making use of puppet 3 automatic data bindings.
This means a larger impact for existing users as we have to change the API (init.pp).
I will prepare a pull request for this one after I finished the types and providers.
But: this change definitely needs a major version bump.
before moving forward with BC-incompatible changes we should create a last release of the 1.x version and then bump the major version. There have been several relevant changes since the 1.3.0 release, among the, support for opennebula 4.14. see v1.3.0...1dcefbf
We'd like to support OpenNebula 4.14, so are working on templating the config files. There are a number of differences between 4.14 and 4.12, so we propose the following:
Let us know your thoughts regarding that. For now we've got a work in progress of updating the config template files on a fasrc/opennebula_4_14 branch (comparison view master...fasrc:opennebula_4_14)
Another option is to version the template directory - ie
└── templates
├── 4.12
├── 4.14
And then in paths to template files in puppet code:
file { '/etc/one/oned.conf':
ensure => file,
owner => 'root',
mode => '0640',
content => template("one/${one_version}/oned.conf.erb"),
}
This approach has the benefit of a single branch to support all versions, but might make the code more complicated if we have to split anything out by version other than templates.
Thoughts?
onetemplate can not yet modify:
onetemplate provider can not yet manage
Hey Folks,
I have been using this module since a long time and I would like to use it in the future. The main problem for me is that this module is nailed to puppet 3.1 and also it is not up to date to the Puppetlabs Styleguide anymore.
I thought about the following steps to modify this module:
Please let me know what you think and what you guys at epost have in mind about this module in the future
Most properties do not have data validation.
This will cause problems when we expect a certain type and the declaration does it wrong.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.