keith/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added puppetlabs-firewall (required by puppetlabs-postgresql), updated the other modules.

Browse source
This commit is contained in:
Ciaby 2014-07-11 14:51:15 -05:00
parent 5f4b7a3b72
commit dee66abcdd
137 changed files with 11118 additions and 419 deletions
Download patch file Download diff file Expand all files Collapse all files

15
modules/postgresql/manifests/server/config.pp
View file

@ -4,6 +4,7 @@ class postgresql::server::config {
$ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user
$ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users
$listen_addresses = $postgresql::server::listen_addresses
$port = $postgresql::server::port
$ipv4acls = $postgresql::server::ipv4acls
$ipv6acls = $postgresql::server::ipv6acls
$pg_hba_conf_path = $postgresql::server::pg_hba_conf_path
@ -19,7 +20,7 @@ class postgresql::server::config {
if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file
concat { $pg_hba_conf_path:
owner => 0,
owner => $user,
group => $group,
mode => '0640',
warn => true,
@ -97,6 +98,18 @@ class postgresql::server::config {
postgresql::server::config_entry { 'listen_addresses':
value => $listen_addresses,
}
postgresql::server::config_entry { 'port':
value => "${port}",
}
# RedHat-based systems hardcode some PG* variables in the init script, and need to be overriden
# in /etc/sysconfig/pgsql/postgresql. Create a blank file so we can manage it with augeas later.
if ($::osfamily == 'RedHat') and ($::operatingsystemrelease !~ /^7/) {
file { '/etc/sysconfig/pgsql/postgresql':
ensure => present,
replace => false,
}
}
} else {
file { $pg_hba_conf_path:
ensure => absent,

50
modules/postgresql/manifests/server/config_entry.pp
View file

@ -11,6 +11,10 @@ define postgresql::server::config_entry (
default => $path,
}
Exec {
logoutput => 'on_failure',
}
case $name {
/data_directory|hba_file|ident_file|include|listen_addresses|port|max_connections|superuser_reserved_connections|unix_socket_directory|unix_socket_group|unix_socket_permissions|bonjour|bonjour_name|ssl|ssl_ciphers|shared_buffers|max_prepared_transactions|max_files_per_process|shared_preload_libraries|wal_level|wal_buffers|archive_mode|max_wal_senders|hot_standby|logging_collector|silent_mode|track_activity_query_size|autovacuum_max_workers|autovacuum_freeze_max_age|max_locks_per_transaction|max_pred_locks_per_transaction|restart_after_crash|lc_messages|lc_monetary|lc_numeric|lc_time/: {
Postgresql_conf {
@ -26,6 +30,52 @@ define postgresql::server::config_entry (
}
}
# We have to handle ports in a weird and special way. On Redhat we either
# have to create a systemd override for the port or update the sysconfig
# file.
if $::osfamily == 'RedHat' {
if $::operatingsystemrelease =~ /^7/ {
if $name == 'port' {
file { 'systemd-port-override':
ensure => present,
path => '/etc/systemd/system/postgresql.service',
owner => root,
group => root,
content => template('postgresql/systemd-port-override.erb'),
notify => [ Exec['restart-systemd'], Class['postgresql::server::service'] ],
before => Class['postgresql::server::reload'],
}
exec { 'restart-systemd':
command => 'systemctl daemon-reload',
refreshonly => true,
path => '/bin:/usr/bin:/usr/local/bin'
}
}
} else {
if $name == 'port' {
# We need to force postgresql to stop before updating the port
# because puppet becomes confused and is unable to manage the
# service appropriately.
exec { 'postgresql_stop':
command => "service ${::postgresql::server::service_name} stop",
onlyif => "service ${::postgresql::server::service_name} status",
unless => "grep 'PGPORT=${value}' /etc/sysconfig/pgsql/postgresql",
path => '/sbin:/bin:/usr/bin:/usr/local/bin',
require => File['/etc/sysconfig/pgsql/postgresql'],
} ->
augeas { 'override PGPORT in /etc/sysconfig/pgsql/postgresql':
lens => 'Shellvars.lns',
incl => '/etc/sysconfig/pgsql/*',
context => '/files/etc/sysconfig/pgsql/postgresql',
changes => "set PGPORT ${value}",
require => File['/etc/sysconfig/pgsql/postgresql'],
notify => Class['postgresql::server::service'],
before => Class['postgresql::server::reload'],
}
}
}
}
case $ensure {
/present|absent/: {
postgresql_conf { $name:

11
modules/postgresql/manifests/server/database.pp
View file

@ -12,13 +12,16 @@ define postgresql::server::database(
$user = $postgresql::server::user
$group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path
$port = $postgresql::server::port
$version = $postgresql::server::version
$default_db = $postgresql::server::default_database
# Set the defaults for the postgresql_psql resource
Postgresql_psql {
psql_user => $user,
psql_group => $group,
psql_path => $psql_path,
port => $port,
}
# Optionally set the locale switch. Older versions of createdb may not accept
@ -44,11 +47,13 @@ define postgresql::server::database(
default => "--tablespace='${tablespace}' ",
}
$createdb_command = "${createdb_path} --owner='${owner}' --template=${template} ${encoding_option}${locale_option}${tablespace_option} '${dbname}'"
$createdb_command = "${createdb_path} --port='${port}' --owner='${owner}' --template=${template} ${encoding_option}${locale_option}${tablespace_option} '${dbname}'"
postgresql_psql { "Check for existence of db '${dbname}'":
command => 'SELECT 1',
unless => "SELECT datname FROM pg_database WHERE datname='${dbname}'",
db => $default_db,
port => $port,
require => Class['postgresql::server::service']
}~>
exec { $createdb_command :
@ -60,13 +65,15 @@ define postgresql::server::database(
# This will prevent users from connecting to the database unless they've been
# granted privileges.
postgresql_psql {"REVOKE ${public_revoke_privilege} ON DATABASE \"${dbname}\" FROM public":
db => $user,
db => $default_db,
port => $port,
refreshonly => true,
}
Exec [ $createdb_command ]->
postgresql_psql {"UPDATE pg_database SET datistemplate = ${istemplate} WHERE datname = '${dbname}'":
unless => "SELECT datname FROM pg_database WHERE datname = '${dbname}' AND datistemplate = ${istemplate}",
db => $default_db,
}
# Build up dependencies on tablespace

28
modules/postgresql/manifests/server/db.pp
View file

@ -3,6 +3,7 @@
define postgresql::server::db (
$user,
$password,
$dbname = $title,
$encoding = $postgresql::server::encoding,
$locale = $postgresql::server::locale,
$grant = 'ALL',
@ -11,13 +12,16 @@ define postgresql::server::db (
$istemplate = false,
$owner = undef
) {
postgresql::server::database { $name:
encoding => $encoding,
tablespace => $tablespace,
template => $template,
locale => $locale,
istemplate => $istemplate,
owner => $owner,
if ! defined(Postgresql::Server::Database[$dbname]) {
postgresql::server::database { $dbname:
encoding => $encoding,
tablespace => $tablespace,
template => $template,
locale => $locale,
istemplate => $istemplate,
owner => $owner,
}
}
if ! defined(Postgresql::Server::Role[$user]) {
@ -26,10 +30,12 @@ define postgresql::server::db (
}
}
postgresql::server::database_grant { "GRANT ${user} - ${grant} - ${name}":
privilege => $grant,
db => $name,
role => $user,
if ! defined(Postgresql::Server::Database_grant["GRANT ${user} - ${grant} - ${dbname}"]) {
postgresql::server::database_grant { "GRANT ${user} - ${grant} - ${dbname}":
privilege => $grant,
db => $dbname,
role => $user,
}
}
if($tablespace != undef and defined(Postgresql::Server::Tablespace[$tablespace])) {

8
modules/postgresql/manifests/server/firewall.pp
View file

@ -3,17 +3,17 @@ class postgresql::server::firewall {
$ensure = $postgresql::server::ensure
$manage_firewall = $postgresql::server::manage_firewall
$firewall_supported = $postgresql::server::firewall_supported
$port = $postgresql::server::port
if ($manage_firewall and $firewall_supported) {
if ($ensure == 'present' or $ensure == true) {
# TODO: get rid of hard-coded port
firewall { '5432 accept - postgres':
port => '5432',
firewall { "$port accept - postgres":
port => $port,
proto => 'tcp',
action => 'accept',
}
} else {
firewall { '5432 accept - postgres':
firewall { "$port accept - postgres":
ensure => absent,
}
}

6
modules/postgresql/manifests/server/grant.pp
View file

@ -5,8 +5,9 @@ define postgresql::server::grant (
$privilege = undef,
$object_type = 'database',
$object_name = $db,
$psql_db = $postgresql::server::user,
$psql_user = $postgresql::server::user
$psql_db = $postgresql::server::default_database,
$psql_user = $postgresql::server::user,
$port = $postgresql::server::port
) {
$group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path
@ -68,6 +69,7 @@ define postgresql::server::grant (
$grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\""
postgresql_psql { $grant_cmd:
db => $on_db,
port => $port,
psql_user => $psql_user,
psql_group => $group,
psql_path => $psql_path,

2
modules/postgresql/manifests/server/install.pp
View file

@ -23,7 +23,7 @@ class postgresql::server::install {
# This will clean up anything we miss
exec { 'apt-get-autoremove-postgresql-client-brute':
command => "dpkg -P postgresql*",
command => 'dpkg -P postgresql*',
onlyif => "dpkg -l postgresql* | grep -e '^ii'",
logoutput => on_failure,
path => '/usr/bin:/bin:/usr/sbin/:/sbin',

32
modules/postgresql/manifests/server/postgis.pp Normal file
View file

@ -0,0 +1,32 @@
# Install the postgis postgresql packaging. See README.md for more details.
class postgresql::server::postgis (
$package_name = $postgresql::params::postgis_package_name,
$package_ensure = 'present'
) inherits postgresql::params {
validate_string($package_name)
package { 'postgresql-postgis':
ensure => $package_ensure,
name => $package_name,
tag => 'postgresql',
}
if($package_ensure == 'present' or $package_ensure == true) {
anchor { 'postgresql::server::postgis::start': }->
Class['postgresql::server::install']->
Package['postgresql-postgis']->
Class['postgresql::server::service']->
anchor { 'postgresql::server::postgis::end': }
if $postgresql::globals::manage_package_repo {
Class['postgresql::repo'] ->
Package['postgresql-postgis']
}
} else {
anchor { 'postgresql::server::postgis::start': }->
Class['postgresql::server::service']->
Package['postgresql-postgis']->
Class['postgresql::server::install']->
anchor { 'postgresql::server::postgis::end': }
}
}

1
modules/postgresql/manifests/server/reload.pp
View file

@ -10,6 +10,7 @@ class postgresql::server::reload {
command => "service ${service_name} reload",
onlyif => $service_status,
refreshonly => true,
require => Class['postgresql::server::service'],
}
}
}

10
modules/postgresql/manifests/server/role.pp
View file

@ -3,8 +3,10 @@ define postgresql::server::role(
$password_hash = false,
$createdb = false,
$createrole = false,
$db = $postgresql::server::user,
$db = $postgresql::server::default_database,
$port = $postgresql::server::port,
$login = true,
$inherit = true,
$superuser = false,
$replication = false,
$connection_limit = '-1',
@ -16,6 +18,7 @@ define postgresql::server::role(
$version = $postgresql::server::version
$login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' }
$inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' }
$createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
$createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' }
$superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' }
@ -28,6 +31,7 @@ define postgresql::server::role(
Postgresql_psql {
db => $db,
port => $port,
psql_user => $psql_user,
psql_group => $psql_group,
psql_path => $psql_path,
@ -55,6 +59,10 @@ define postgresql::server::role(
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcanlogin=${login}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolinherit=${inherit}",
}
if(versioncmp($version, '9.1') >= 0) {
if $replication_sql == '' {
postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":

21
modules/postgresql/manifests/server/service.pp
View file

@ -1,13 +1,25 @@
# PRIVATE CLASS: do not call directly
class postgresql::server::service {
$ensure = $postgresql::server::ensure
$service_ensure = $postgresql::server::service_ensure
$service_name = $postgresql::server::service_name
$service_provider = $postgresql::server::service_provider
$service_status = $postgresql::server::service_status
$user = $postgresql::server::user
$port = $postgresql::server::port
$default_database = $postgresql::server::default_database
$service_ensure = $ensure ? {
if $service_ensure {
$real_service_ensure = $service_ensure
} else {
$real_service_ensure = $ensure ? {
present => 'running',
absent => 'stopped',
default => $ensure
}
}
$service_enable = $ensure ? {
present => true,
absent => false,
default => $ensure
@ -16,15 +28,15 @@ class postgresql::server::service {
anchor { 'postgresql::server::service::begin': }
service { 'postgresqld':
ensure => $service_ensure,
ensure => $real_service_ensure,
name => $service_name,
enable => $service_ensure,
enable => $service_enable,
provider => $service_provider,
hasstatus => true,
status => $service_status,
}
if($service_ensure) {
if $real_service_ensure == 'running' {
# This blocks the class before continuing if chained correctly, making
# sure the service really is 'up' before continuing.
#
@ -33,6 +45,7 @@ class postgresql::server::service {
postgresql::validate_db_connection { 'validate_service_is_running':
run_as => $user,
database_name => $default_database,
database_port => $port,
sleep => 1,
tries => 60,
create_db_first => false,

2
modules/postgresql/manifests/server/table_grant.pp
View file

@ -5,12 +5,14 @@ define postgresql::server::table_grant(
$table,
$db,
$role,
$port = $postgresql::server::port,
$psql_db = undef,
$psql_user = undef
) {
postgresql::server::grant { "table:${name}":
role => $role,
db => $db,
port => $port,
privilege => $privilege,
object_type => 'TABLE',
object_name => $table,

2
modules/postgresql/manifests/server/tablespace.pp
View file

@ -6,12 +6,14 @@ define postgresql::server::tablespace(
) {
$user = $postgresql::server::user
$group = $postgresql::server::group
$port = $postgresql::server::port
$psql_path = $postgresql::server::psql_path
Postgresql_psql {
psql_user => $user,
psql_group => $group,
psql_path => $psql_path,
port => $port,
}
if ($owner == undef) {