pbsready-import.cfg.in 6.11 KB
Newer Older
1 2
[buildout]

3
extends = ${pbsready:output}
4

5 6 7 8 9 10
# Explicitely define extended parts from pbsready
# then add local parts
parts =
  logrotate
  logrotate-entry-cron
  logrotate-entry-equeue
11
  logrotate-entry-notifier
12
  logrotate-entry-resilient
13 14
  cron
  cron-entry-logrotate
15
  resilient-sshkeys-authority
16 17 18 19 20 21
  sshd-raw-server
  sshd-graceful
  sshkeys-sshd
  sshd-promise
  resilient-sshkeys-sshd-promise
  sshd-pbs-authorized-key
22 23
  notifier

24
  resiliency-takeover-script
25 26 27 28
  resilient-web-takeover-cgi-script
  resilient-web-takeover-httpd-wrapper
  resilient-web-takeover-httpd-promise

29
  check-backup-integrity-on-notification
30
  import-on-notification
31
  backup-checksum-integrity-promise
32
  resilient-publish-connection-parameter
33

34 35
  backup-signature-link

36
[resilient-publish-connection-parameter]
37
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
38 39
takeover-url = http://[$${resilient-web-takeover-httpd-configuration-file:listening-ip}]:$${resilient-web-takeover-httpd-configuration-file:listening-port}/
takeover-password = $${resilient-web-takeover-password:passwd}
40

41 42 43
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
44 45 46 47 48
[sshd-port]
recipe = slapos.cookbook:free_port
minimum = 22210
maximum = 22219
ip = $${slap-network-information:global-ipv6}
49

50
# Define port of notifier (same reason)
51 52 53 54 55
[notifier-port]
recipe = slapos.cookbook:free_port
minimum = 65516
maximum = 65525
ip = $${notifier:host}
56

57
[import-on-notification]
Marco Mariani's avatar
Marco Mariani committed
58 59
# notifier.callback runs a script when a notification (sent by a parent PBS)
# is received
60 61 62 63
<= notifier
recipe = slapos.cookbook:notifier.callback
on-notification-id = $${slap-parameter:on-notification}
callback = $${importer:wrapper}
64

65 66
[post-notification-run]
recipe = collective.recipe.template
67 68
diff-file = $${basedirectory:backup}/backup.diff
proof-signature-file = $${basedirectory:backup}/proof.signature
69 70 71
input = inline:
  #!/${bash:location}/bin/bash
  cd $${directory:backup}
72 73
  find -type f ! -name backup.signature ! -wholename "./rdiff-backup-data/*" -print0 | xargs -P4 -0 sha256sum  | LC_ALL=C sort -k 66 > $${:proof-signature-file}
  diff -ruw backup.signature $${:proof-signature-file} > $${:diff-file}
74 75 76 77 78 79 80 81 82
output = $${rootdirectory:bin}/post-notification-run
mode = 0700

[check-backup-integrity-on-notification]
<= notifier
recipe = slapos.cookbook:notifier.callback
on-notification-id = $${slap-parameter:on-notification}
callback = $${post-notification-run:output}

83
[backup-checksum-integrity-promise]
84 85 86
recipe = slapos.recipe.template:jinja2
template = inline:
  #!/${bash:location}/bin/bash
87 88 89 90 91 92 93 94
  backup_diff_file=$${post-notification-run:diff-file}
  if [ -f "$backup_diff_file" ]; then
    if [ $(wc -l "$backup_diff_file" | cut -d \  -f1) -eq 0 ]; then
      exit 0;
    else
      exit 1;
    fi
  else
95
    # If file doesn't exist, promise shouldnt raise false positive
96 97
    exit 0;
  fi
98
rendered = $${basedirectory:promises}/backup-checksum-integrity
99 100
mode = 700

101 102 103 104 105 106 107 108 109 110 111 112 113 114
###########
# Generate the takeover script
###########
[resiliency-takeover-script]
recipe = slapos.cookbook:addresiliency
wrapper-takeover = $${rootdirectory:bin}/takeover
takeover-triggered-file-path = $${rootdirectory:srv}/takeover_triggered

# Add path of file created by takeover script when takeover is triggered
# Takeover script will create this file
# equeue process will watch for file existence.
[equeue]
takeover-triggered-file-path = $${resiliency-takeover-script:takeover-triggered-file-path}

115 116 117 118 119 120 121 122 123 124 125 126 127 128
###########
# Deploy a webserver allowing to do takeover from a web browser.
###########
[resilient-web-takeover-password]
recipe = slapos.cookbook:generate.password
storage-path = $${directory:srv}/passwd
bytes = 8

[resilient-web-takeover-cgi-script]
recipe = collective.recipe.template
input = ${resilient-web-takeover-cgi-script-download:destination}
output = $${directory:cgi-bin}/web-takeover.cgi
password = $${resilient-web-takeover-password:passwd}
mode = 700
129
proof-signature-url = $${publish:monitor-base-url}/private/resilient/backup.signature
130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178

# XXX could it be something lighter?
# XXX Add SSL
[resilient-web-takeover-httpd-configuration-file]
recipe = collective.recipe.template
input = inline:
  PidFile "$${:pid-file}"
  Listen [$${:listening-ip}]:$${:listening-port}
  ServerAdmin someone@email
  DocumentRoot "$${:document-root}"
  ErrorLog "$${:error-log}"
  LoadModule unixd_module modules/mod_unixd.so
  LoadModule access_compat_module modules/mod_access_compat.so
  LoadModule authz_core_module modules/mod_authz_core.so
  LoadModule authz_host_module modules/mod_authz_host.so
  LoadModule mime_module modules/mod_mime.so
  LoadModule cgid_module modules/mod_cgid.so
  LoadModule dir_module modules/mod_dir.so
  ScriptSock $${:cgid-pid-file}
  <Directory $${:document-root}>
    # XXX: security????
    Options +ExecCGI
    AddHandler cgi-script .cgi
    DirectoryIndex web-takeover.cgi
  </Directory>
output = $${directory:etc}/resilient-web-takeover-httpd.conf
# md5sum =
listening-ip = $${slap-network-information:global-ipv6}
# XXX: randomize-me
listening-port = 9263
htdocs = $${directory:cgi-bin}
pid-file = $${directory:run}/resilient-web-takeover-httpd.pid
cgid-pid-file = $${directory:run}/resilient-web-takeover-httpd-cgid.pid
document-root = $${directory:cgi-bin}
error-log = $${directory:log}/resilient-web-takeover-httpd-error-log

[resilient-web-takeover-httpd-wrapper]
recipe = slapos.cookbook:wrapper
apache-executable = ${apache:location}/bin/httpd
command-line = $${:apache-executable} -f $${resilient-web-takeover-httpd-configuration-file:output} -DFOREGROUND
wrapper-path = $${basedirectory:services}/resilient-web-takeover-httpd

[resilient-web-takeover-httpd-promise]
recipe = slapos.cookbook:check_url_available
path = $${basedirectory:promises}/resilient-web-takeover-httpd
url = http://[$${resilient-web-takeover-httpd-configuration-file:listening-ip}]:$${resilient-web-takeover-httpd-configuration-file:listening-port}/
dash_path = ${dash:location}/bin/dash
curl_path = ${curl:location}/bin/curl

179 180 181 182 183
###########
# Symlinks
###########
[backup-signature-link]
recipe = cns.recipe.symlink
184
symlink = $${post-notification-run:proof-signature-file} = $${directory:monitor-resilient}/backup.signature