From 3dd5baca2a498497cb9a96a36259bd94c92e20ea Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Sat, 1 Oct 2022 23:36:47 +0100 Subject: [PATCH] Add oxidized backup daemon --- cookbooks/oxidized/README.md | 4 + cookbooks/oxidized/attributes/default.rb | 1 + cookbooks/oxidized/metadata.rb | 10 ++ cookbooks/oxidized/recipes/default.rb | 136 ++++++++++++++++++ .../oxidized/templates/default/config.erb | 37 +++++ .../oxidized/templates/default/logrotate.erb | 9 ++ .../oxidized/templates/default/routers.db.erb | 4 + roles/idris.rb | 3 +- 8 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 cookbooks/oxidized/README.md create mode 100644 cookbooks/oxidized/attributes/default.rb create mode 100644 cookbooks/oxidized/metadata.rb create mode 100644 cookbooks/oxidized/recipes/default.rb create mode 100644 cookbooks/oxidized/templates/default/config.erb create mode 100644 cookbooks/oxidized/templates/default/logrotate.erb create mode 100644 cookbooks/oxidized/templates/default/routers.db.erb diff --git a/cookbooks/oxidized/README.md b/cookbooks/oxidized/README.md new file mode 100644 index 000000000..55cfbc5b3 --- /dev/null +++ b/cookbooks/oxidized/README.md @@ -0,0 +1,4 @@ +# oxidized cookbook + +This cookbook installs and configures [oxidized](https://github.com/ytti/oxidized) to +backup the configurations of OpenStreetMap equipment. diff --git a/cookbooks/oxidized/attributes/default.rb b/cookbooks/oxidized/attributes/default.rb new file mode 100644 index 000000000..cd69a5de7 --- /dev/null +++ b/cookbooks/oxidized/attributes/default.rb @@ -0,0 +1 @@ +default[:accounts][:users][:oxidized][:status] = :role diff --git a/cookbooks/oxidized/metadata.rb b/cookbooks/oxidized/metadata.rb new file mode 100644 index 000000000..146cc1fae --- /dev/null +++ b/cookbooks/oxidized/metadata.rb @@ -0,0 +1,10 @@ +name "oxidized" +maintainer "OpenStreetMap Administrators" +maintainer_email "admins@openstreetmap.org" +license "Apache-2.0" +description "Configures oxidized to backup equipment configuration" + +version "1.0.0" +supports "ubuntu" +depends "git" +depends "ruby" diff --git a/cookbooks/oxidized/recipes/default.rb b/cookbooks/oxidized/recipes/default.rb new file mode 100644 index 000000000..4dc9bf548 --- /dev/null +++ b/cookbooks/oxidized/recipes/default.rb @@ -0,0 +1,136 @@ +# +# Cookbook:: oxidized +# Recipe:: default +# +# Copyright:: 2022, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "git" +include_recipe "ruby" + +package %w[ + gcc + g++ + make + cmake + libssl-dev + libssh2-1-dev + zlib1g-dev + pkg-config +] + +keys = data_bag_item("oxidized", "keys") +devices = data_bag_item("oxidized", "devices") + +template "/etc/oxidized/config" do + source "config.erb" + owner "oxidized" + group "oxidized" + mode "444" + notifies :restart, "service[oxidized]" +end + +template "/etc/oxidized/routers.db" do + source "routers.db.erb" + owner "oxidized" + group "oxidized" + mode "400" + variables :devices => devices + notifies :restart, "service[oxidized]" +end + +directory "/var/log/oxidized" do + owner "oxidized" + group "oxidized" + mode "755" +end + +# Key is set as a deployment key in github repo +file "/opt/oxidized/.ssh/id_rsa" do + content keys["git"] + owner "oxidized" + group "oxidized" + mode "400" + notifies :delete, "file[/opt/oxidized/.ssh/id_rsa.pub]", :immediately + notifies :restart, "service[oxidized]" +end + +# Ensure public key is deleted if private key is changed. Trigged by notify +file "/opt/oxidized/.ssh/id_rsa.pub" do + action :nothing +end + +exec "/opt/oxidized/.ssh/id_rsa.pub" do + command "ssh-keygen -f /opt/oxidized/.ssh/id_rsa -y > /opt/oxidized/.ssh/id_rsa.pub" + owner "oxidized" + group "oxidized" + creates "/opt/oxidized/.ssh/id_rsa.pub" + notifies :restart, "service[oxidized]" +end + +git "/opt/oxidized" do + action :sync + repository "https://github.com/openstreetmap/oxidized.git" + depth 1 + user "oxidized" + group "oxidized" + notifies :run, "bundle_install[/opt/oxidized]" +end + +git "/var/lib/oxidized/configs.git" do + action :sync + repository "git@github.com:openstreetmap/oxidized-configs.git" # Uses oxidized ssh key + checkout_branch "master" # branch is hardcoded in oxidized + user "oxidized" + group "oxidized" +end + +bundle_install "/opt/oxidized" do + action :nothing + options "--deployment" + user "oxidized" + group "oxidized" + notifies :restart, "service[oxidized]" +end + +# Based on https://github.com/ytti/oxidized/blob/master/extra/oxidized.service +systemd_service "oxidized" do + description "oxidized network device backup daemon" + after "network.target" + user "oxidized" + working_directory "/opt/oxidized" + exec_start "#{node[:ruby][:bundle]} exec oxidized" + environment "OXIDIZED_HOME" => "/etc/oxidized", + "OXIDIZED_LOGS" => "/var/log/oxidized" + nice 10 + private_tmp true + private_devices true + protect_system "full" + protect_home true + no_new_privileges true + restart "on-failure" + notifies :restart, "service[oxidized]" +end + +service "oxidized" do + action [:enable, :start] +end + +template "/etc/logrotate.d/oxidized" do + source "logrotate.erb" + owner "root" + group "root" + mode "644" +end diff --git a/cookbooks/oxidized/templates/default/config.erb b/cookbooks/oxidized/templates/default/config.erb new file mode 100644 index 000000000..25dee6022 --- /dev/null +++ b/cookbooks/oxidized/templates/default/config.erb @@ -0,0 +1,37 @@ +--- +# DO NOT EDIT - This file is being maintained by Chef +rest: false +vars: + remove_secret: true + auth_methods: [ "password" ] +pid: "/run/oxidized/oxidized.pid" +input: + default: ssh +output: + default: git + git: + single_repo: true + user: oxidized + email: oxidized@openstreetmap.org + repo: "/var/lib/oxidized/configs.git" +hooks: + push_to_remote: + type: githubrepo + events: [post_store] + remote_repo: git@github.com:openstreetmap/oxidized-configs.git + privatekey: /opt/oxidized/.ssh/id_rsa +source: + default: csv + csv: + file: "/etc/oxidized/routers.db" + delimiter: !ruby/regexp /:/ + map: + name: 0 + model: 1 + input: 2 + username: 3 + password: 4 +model_map: + juniper: junos + apc: apc_aos + ciscocmb: ciscosmb diff --git a/cookbooks/oxidized/templates/default/logrotate.erb b/cookbooks/oxidized/templates/default/logrotate.erb new file mode 100644 index 000000000..7dfe60219 --- /dev/null +++ b/cookbooks/oxidized/templates/default/logrotate.erb @@ -0,0 +1,9 @@ +# DO NOT EDIT - This file is being maintained by Chef + +/var/log/oxidized/*.log { + rotate 12 + weekly + size 10M + compress + delaycompress +} diff --git a/cookbooks/oxidized/templates/default/routers.db.erb b/cookbooks/oxidized/templates/default/routers.db.erb new file mode 100644 index 000000000..9a7bf027c --- /dev/null +++ b/cookbooks/oxidized/templates/default/routers.db.erb @@ -0,0 +1,4 @@ +# DO NOT EDIT - This file is being maintained by Chef +<% @devices[:hardware].keys.sort.each do |d| -%> +<%= d -%>:<%= @devices[:hardware][d][:device] -%>:<%= @devices[:hardware][d][:input] -%>:<%= @devices[:hardware][d][:username] -%>:<%= @devices[:hardware][d][:password] %> +<% end -%> diff --git a/roles/idris.rb b/roles/idris.rb index aec768e82..ee56fc85a 100644 --- a/roles/idris.rb +++ b/roles/idris.rb @@ -34,5 +34,6 @@ default_attributes( run_list( "role[equinix-dub]", - "role[hp-g9]" + "role[hp-g9]", + "role[oxidized]" ) -- 2.39.5