diff --git a/manifests/init.pp b/manifests/init.pp index b933ee8..87a6bbe 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,183 +1,185 @@ # All in one class for setting up a PuppetDB instance. See README.md for more # details. class puppetdb ( $listen_address = $puppetdb::params::listen_address, $listen_port = $puppetdb::params::listen_port, $disable_cleartext = $puppetdb::params::disable_cleartext, $open_listen_port = $puppetdb::params::open_listen_port, $ssl_listen_address = $puppetdb::params::ssl_listen_address, $ssl_listen_port = $puppetdb::params::ssl_listen_port, $disable_ssl = $puppetdb::params::disable_ssl, $open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port, $ssl_dir = $puppetdb::params::ssl_dir, $ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths, $ssl_cert_path = $puppetdb::params::ssl_cert_path, $ssl_key_path = $puppetdb::params::ssl_key_path, $ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path, $ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs, $ssl_key = $puppetdb::params::ssl_key, $ssl_cert = $puppetdb::params::ssl_cert, $ssl_ca_cert = $puppetdb::params::ssl_ca_cert, $ssl_protocols = $puppetdb::params::ssl_protocols, $cipher_suites = $puppetdb::params::cipher_suites, $manage_dbserver = $puppetdb::params::manage_dbserver, $manage_database = $puppetdb::params::manage_database, $manage_package_repo = $puppetdb::params::manage_pg_repo, $postgres_version = $puppetdb::params::postgres_version, $database = $puppetdb::params::database, $database_host = $puppetdb::params::database_host, $database_port = $puppetdb::params::database_port, $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, $manage_db_password = $puppetdb::params::manage_db_password, $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties, $database_listen_address = $puppetdb::params::postgres_listen_addresses, $database_validate = $puppetdb::params::database_validate, $database_embedded_path = $puppetdb::params::database_embedded_path, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, Optional[Array] $facts_blacklist = $puppetdb::params::facts_blacklist, $gc_interval = $puppetdb::params::gc_interval, + $node_purge_gc_batch_limit = $puppetdb::params::node_purge_gc_batch_limit, $log_slow_statements = $puppetdb::params::log_slow_statements, $conn_max_age = $puppetdb::params::conn_max_age, $conn_keep_alive = $puppetdb::params::conn_keep_alive, $conn_lifetime = $puppetdb::params::conn_lifetime, $puppetdb_package = $puppetdb::params::puppetdb_package, $puppetdb_service = $puppetdb::params::puppetdb_service, $puppetdb_service_status = $puppetdb::params::puppetdb_service_status, $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, $read_database = $puppetdb::params::read_database, $read_database_host = $puppetdb::params::read_database_host, $read_database_port = $puppetdb::params::read_database_port, $read_database_username = $puppetdb::params::read_database_username, $read_database_password = $puppetdb::params::read_database_password, $read_database_name = $puppetdb::params::read_database_name, $manage_read_db_password = $puppetdb::params::manage_read_db_password, $read_database_jdbc_ssl_properties = $puppetdb::params::read_database_jdbc_ssl_properties, $read_database_validate = $puppetdb::params::read_database_validate, $read_log_slow_statements = $puppetdb::params::read_log_slow_statements, $read_conn_max_age = $puppetdb::params::read_conn_max_age, $read_conn_keep_alive = $puppetdb::params::read_conn_keep_alive, $read_conn_lifetime = $puppetdb::params::read_conn_lifetime, $confdir = $puppetdb::params::confdir, $vardir = $puppetdb::params::vardir, $manage_firewall = $puppetdb::params::manage_firewall, $java_args = $puppetdb::params::java_args, $merge_default_java_args = $puppetdb::params::merge_default_java_args, $max_threads = $puppetdb::params::max_threads, $command_threads = $puppetdb::params::command_threads, $concurrent_writes = $puppetdb::params::concurrent_writes, $store_usage = $puppetdb::params::store_usage, $temp_usage = $puppetdb::params::temp_usage, $disable_update_checking = $puppetdb::params::disable_update_checking, $certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file, $certificate_whitelist = $puppetdb::params::certificate_whitelist, $database_max_pool_size = $puppetdb::params::database_max_pool_size, $read_database_max_pool_size = $puppetdb::params::read_database_max_pool_size, Boolean $automatic_dlo_cleanup = $puppetdb::params::automatic_dlo_cleanup, String[1] $cleanup_timer_interval = $puppetdb::params::cleanup_timer_interval, Integer[1] $dlo_max_age = $puppetdb::params::dlo_max_age, ) inherits puppetdb::params { class { '::puppetdb::server': listen_address => $listen_address, listen_port => $listen_port, disable_cleartext => $disable_cleartext, open_listen_port => $open_listen_port, ssl_listen_address => $ssl_listen_address, ssl_listen_port => $ssl_listen_port, disable_ssl => $disable_ssl, open_ssl_listen_port => $open_ssl_listen_port, ssl_dir => $ssl_dir, ssl_set_cert_paths => $ssl_set_cert_paths, ssl_cert_path => $ssl_cert_path, ssl_key_path => $ssl_key_path, ssl_ca_cert_path => $ssl_ca_cert_path, ssl_deploy_certs => $ssl_deploy_certs, ssl_key => $ssl_key, ssl_cert => $ssl_cert, ssl_ca_cert => $ssl_ca_cert, ssl_protocols => $ssl_protocols, cipher_suites => $cipher_suites, database => $database, database_host => $database_host, database_port => $database_port, database_username => $database_username, database_password => $database_password, database_name => $database_name, manage_db_password => $manage_db_password, jdbc_ssl_properties => $jdbc_ssl_properties, database_validate => $database_validate, database_embedded_path => $database_embedded_path, node_ttl => $node_ttl, node_purge_ttl => $node_purge_ttl, report_ttl => $report_ttl, facts_blacklist => $facts_blacklist, gc_interval => $gc_interval, + node_purge_gc_batch_limit => $node_purge_gc_batch_limit, log_slow_statements => $log_slow_statements, conn_max_age => $conn_max_age, conn_keep_alive => $conn_keep_alive, conn_lifetime => $conn_lifetime, puppetdb_package => $puppetdb_package, puppetdb_service => $puppetdb_service, puppetdb_service_status => $puppetdb_service_status, confdir => $confdir, vardir => $vardir, java_args => $java_args, merge_default_java_args => $merge_default_java_args, max_threads => $max_threads, read_database => $read_database, read_database_host => $read_database_host, read_database_port => $read_database_port, read_database_username => $read_database_username, read_database_password => $read_database_password, read_database_name => $read_database_name, manage_read_db_password => $manage_read_db_password, read_database_jdbc_ssl_properties => $read_database_jdbc_ssl_properties, read_database_validate => $read_database_validate, read_log_slow_statements => $read_log_slow_statements, read_conn_max_age => $read_conn_max_age, read_conn_keep_alive => $read_conn_keep_alive, read_conn_lifetime => $read_conn_lifetime, puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, manage_firewall => $manage_firewall, command_threads => $command_threads, concurrent_writes => $concurrent_writes, store_usage => $store_usage, temp_usage => $temp_usage, disable_update_checking => $disable_update_checking, certificate_whitelist_file => $certificate_whitelist_file, certificate_whitelist => $certificate_whitelist, database_max_pool_size => $database_max_pool_size, read_database_max_pool_size => $read_database_max_pool_size, automatic_dlo_cleanup => $automatic_dlo_cleanup, cleanup_timer_interval => $cleanup_timer_interval, dlo_max_age => $dlo_max_age, } if ($database == 'postgres') { $database_before = str2bool($database_validate) ? { false => Class['::puppetdb::server'], default => [Class['::puppetdb::server'], Class['::puppetdb::server::validate_db']], } class { '::puppetdb::database::postgresql': listen_addresses => $database_listen_address, database_name => $database_name, database_username => $database_username, database_password => $database_password, database_port => $database_port, manage_server => $manage_dbserver, manage_database => $manage_database, manage_package_repo => $manage_package_repo, postgres_version => $postgres_version, before => $database_before } } } diff --git a/manifests/params.pp b/manifests/params.pp index 8dbea1b..9677c46 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,204 +1,205 @@ # PRIVATE CLASS - do not use directly # # The puppetdb default configuration settings. class puppetdb::params inherits puppetdb::globals { $listen_address = 'localhost' $listen_port = '8080' $disable_cleartext = false $open_listen_port = false $ssl_listen_address = '0.0.0.0' $ssl_listen_port = '8081' $ssl_protocols = undef $disable_ssl = false $cipher_suites = undef $open_ssl_listen_port = undef $postgres_listen_addresses = 'localhost' $puppetdb_version = $puppetdb::globals::version $database = $puppetdb::globals::database $manage_dbserver = true $manage_database = true if $::osfamily =~ /RedHat|Debian/ { $manage_pg_repo = true } else { $manage_pg_repo = false } $postgres_version = '9.6' # The remaining database settings are not used for an embedded database $database_host = 'localhost' $database_port = '5432' $database_name = 'puppetdb' $database_username = 'puppetdb' $database_password = 'puppetdb' $manage_db_password = true $jdbc_ssl_properties = '' $database_validate = true $database_max_pool_size = undef # These settings manage the various auto-deactivation and auto-purge settings $node_ttl = '7d' $node_purge_ttl = '14d' $report_ttl = '14d' $facts_blacklist = undef - $gc_interval = '60' + $gc_interval = '60' + $node_purge_gc_batch_limit = '25' $log_slow_statements = '10' $conn_max_age = '60' $conn_keep_alive = '45' $conn_lifetime = '0' $max_threads = undef # These settings are for the read database $read_database = 'postgres' $read_database_host = undef $read_database_port = '5432' $read_database_name = 'puppetdb' $read_database_username = 'puppetdb' $read_database_password = 'puppetdb' $manage_read_db_password = true $read_database_jdbc_ssl_properties = '' $read_database_validate = true $read_log_slow_statements = '10' $read_conn_max_age = '60' $read_conn_keep_alive = '45' $read_conn_lifetime = '0' $read_database_max_pool_size = undef $manage_firewall = true $java_args = {} $merge_default_java_args = true $puppetdb_package = 'puppetdb' $puppetdb_service = 'puppetdb' $masterless = false if !($puppetdb_version in ['latest','present','absent']) and versioncmp($puppetdb_version, '3.0.0') < 0 { case $::osfamily { 'RedHat', 'Suse', 'Archlinux','Debian': { $etcdir = '/etc/puppetdb' $vardir = '/var/lib/puppetdb' $database_embedded_path = "${vardir}/db/db" $puppet_confdir = pick($settings::confdir,'/etc/puppet') $puppet_service_name = 'puppetmaster' } 'OpenBSD': { $etcdir = '/etc/puppetdb' $vardir = '/var/db/puppetdb' $database_embedded_path = "${vardir}/db/db" $puppet_confdir = pick($settings::confdir,'/etc/puppet') $puppet_service_name = 'puppetmasterd' } 'FreeBSD': { $etcdir = '/usr/local/etc/puppetdb' $vardir = '/var/db/puppetdb' $database_embedded_path = "${vardir}/db/db" $puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppet') $puppet_service_name = 'puppetmaster' } default: { fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.") } } $terminus_package = 'puppetdb-terminus' $test_url = '/v3/version' } else { case $::osfamily { 'RedHat', 'Suse', 'Archlinux','Debian': { $etcdir = '/etc/puppetlabs/puppetdb' $puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet') $puppet_service_name = 'puppetserver' } 'OpenBSD': { $etcdir = '/etc/puppetlabs/puppetdb' $puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet') $puppet_service_name = undef } 'FreeBSD': { $etcdir = '/usr/local/etc/puppetlabs/puppetdb' $puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppetlabs/puppet') $puppet_service_name = undef } default: { fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.") } } $terminus_package = 'puppetdb-termini' $test_url = '/pdb/meta/v1/version' $vardir = '/opt/puppetlabs/server/data/puppetdb' $database_embedded_path = "${vardir}/db/db" } $confdir = "${etcdir}/conf.d" $ssl_dir = "${etcdir}/ssl" case $::osfamily { 'RedHat', 'Suse', 'Archlinux': { $puppetdb_user = 'puppetdb' $puppetdb_group = 'puppetdb' $puppetdb_initconf = '/etc/sysconfig/puppetdb' } 'Debian': { $puppetdb_user = 'puppetdb' $puppetdb_group = 'puppetdb' $puppetdb_initconf = '/etc/default/puppetdb' } 'OpenBSD': { $puppetdb_user = '_puppetdb' $puppetdb_group = '_puppetdb' $puppetdb_initconf = undef } 'FreeBSD': { $puppetdb_user = 'puppetdb' $puppetdb_group = 'puppetdb' $puppetdb_initconf = undef } default: { fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.") } } $puppet_conf = "${puppet_confdir}/puppet.conf" $puppetdb_startup_timeout = 120 $puppetdb_service_status = 'running' $command_threads = undef $concurrent_writes = undef $store_usage = undef $temp_usage = undef $disable_update_checking = undef # reports of failed actions: https://puppet.com/docs/puppetdb/5.2/maintain_and_tune.html#clean-up-the-dead-letter-office $automatic_dlo_cleanup = true # any value for a systemd timer is valid: https://www.freedesktop.org/software/systemd/man/systemd.time.html $cleanup_timer_interval = "*-*-* ${fqdn_rand(24)}:${fqdn_rand(60)}:00" $dlo_max_age = 90 $ssl_set_cert_paths = false $ssl_cert_path = "${ssl_dir}/public.pem" $ssl_key_path = "${ssl_dir}/private.pem" $ssl_ca_cert_path = "${ssl_dir}/ca.pem" $ssl_deploy_certs = false $ssl_key = undef $ssl_cert = undef $ssl_ca_cert = undef $certificate_whitelist_file = "${etcdir}/certificate-whitelist" # the default is free access for now $certificate_whitelist = [ ] # change to this to only allow access by the puppet master by default: #$certificate_whitelist = [ $::servername ] # Get the parameter name for the database connection pool tuning if $puppetdb_version in ['latest','present'] or versioncmp($puppetdb_version, '4.0.0') >= 0 { $database_max_pool_size_setting_name = 'maximum-pool-size' } elsif versioncmp($puppetdb_version, '2.8.0') >= 0 { $database_max_pool_size_setting_name = 'partition-conn-max' } else { $database_max_pool_size_setting_name = undef } } diff --git a/manifests/server.pp b/manifests/server.pp index d9c86a9..dc2d35e 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,352 +1,354 @@ # Class to configure a PuppetDB server. See README.md for more details. class puppetdb::server ( $listen_address = $puppetdb::params::listen_address, $listen_port = $puppetdb::params::listen_port, $disable_cleartext = $puppetdb::params::disable_cleartext, $open_listen_port = $puppetdb::params::open_listen_port, $ssl_listen_address = $puppetdb::params::ssl_listen_address, $ssl_listen_port = $puppetdb::params::ssl_listen_port, $disable_ssl = $puppetdb::params::disable_ssl, $open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port, Stdlib::Absolutepath $ssl_dir = $puppetdb::params::ssl_dir, Boolean $ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths, Stdlib::Absolutepath $ssl_cert_path = $puppetdb::params::ssl_cert_path, Stdlib::Absolutepath $ssl_key_path = $puppetdb::params::ssl_key_path, Stdlib::Absolutepath $ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path, Boolean $ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs, $ssl_key = $puppetdb::params::ssl_key, $ssl_cert = $puppetdb::params::ssl_cert, $ssl_ca_cert = $puppetdb::params::ssl_ca_cert, $ssl_protocols = $puppetdb::params::ssl_protocols, $cipher_suites = $puppetdb::params::cipher_suites, $database = $puppetdb::params::database, $database_host = $puppetdb::params::database_host, $database_port = $puppetdb::params::database_port, $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, $manage_db_password = $puppetdb::params::manage_db_password, $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties, $database_validate = $puppetdb::params::database_validate, $database_embedded_path = $puppetdb::params::database_embedded_path, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, Optional[Array] $facts_blacklist = $puppetdb::params::facts_blacklist, $gc_interval = $puppetdb::params::gc_interval, + $node_purge_gc_batch_limit = $puppetdb::params::node_purge_gc_batch_limit, $log_slow_statements = $puppetdb::params::log_slow_statements, $conn_max_age = $puppetdb::params::conn_max_age, $conn_keep_alive = $puppetdb::params::conn_keep_alive, $conn_lifetime = $puppetdb::params::conn_lifetime, $puppetdb_package = $puppetdb::params::puppetdb_package, $puppetdb_service = $puppetdb::params::puppetdb_service, $puppetdb_service_status = $puppetdb::params::puppetdb_service_status, $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, $read_database = $puppetdb::params::read_database, $read_database_host = $puppetdb::params::read_database_host, $read_database_port = $puppetdb::params::read_database_port, $read_database_username = $puppetdb::params::read_database_username, $read_database_password = $puppetdb::params::read_database_password, $read_database_name = $puppetdb::params::read_database_name, $manage_read_db_password = $puppetdb::params::manage_read_db_password, $read_database_jdbc_ssl_properties = $puppetdb::params::read_database_jdbc_ssl_properties, $read_database_validate = $puppetdb::params::read_database_validate, $read_log_slow_statements = $puppetdb::params::read_log_slow_statements, $read_conn_max_age = $puppetdb::params::read_conn_max_age, $read_conn_keep_alive = $puppetdb::params::read_conn_keep_alive, $read_conn_lifetime = $puppetdb::params::read_conn_lifetime, $confdir = $puppetdb::params::confdir, $vardir = $puppetdb::params::vardir, $manage_firewall = $puppetdb::params::manage_firewall, $java_args = $puppetdb::params::java_args, $merge_default_java_args = $puppetdb::params::merge_default_java_args, $max_threads = $puppetdb::params::max_threads, $command_threads = $puppetdb::params::command_threads, $concurrent_writes = $puppetdb::params::concurrent_writes, $store_usage = $puppetdb::params::store_usage, $temp_usage = $puppetdb::params::temp_usage, $disable_update_checking = $puppetdb::params::disable_update_checking, $certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file, $certificate_whitelist = $puppetdb::params::certificate_whitelist, $database_max_pool_size = $puppetdb::params::database_max_pool_size, $read_database_max_pool_size = $puppetdb::params::read_database_max_pool_size, Boolean $automatic_dlo_cleanup = $puppetdb::params::automatic_dlo_cleanup, String[1] $cleanup_timer_interval = $puppetdb::params::cleanup_timer_interval, Integer[1] $dlo_max_age = $puppetdb::params::dlo_max_age, ) inherits puppetdb::params { # Apply necessary suffix if zero is specified. # Can we drop this in the next major release? if $node_ttl == '0' { $_node_ttl_real = '0s' } else { $_node_ttl_real = downcase($node_ttl) } # Validate node_ttl $node_ttl_real = assert_type(Puppetdb::Ttl, $_node_ttl_real) # Apply necessary suffix if zero is specified. # Can we drop this in the next major release? if $node_purge_ttl == '0' { $_node_purge_ttl_real = '0s' } else { $_node_purge_ttl_real = downcase($node_purge_ttl) } # Validate node_purge_ttl $node_purge_ttl_real = assert_type(Puppetdb::Ttl, $_node_purge_ttl_real) # Apply necessary suffix if zero is specified. # Can we drop this in the next major release? if $report_ttl == '0' { $_report_ttl_real = '0s' } else { $_report_ttl_real = downcase($report_ttl) } # Validate report_ttl $repor_ttl_real = assert_type(Puppetdb::Ttl, $_report_ttl_real) # Validate puppetdb_service_status $service_enabled = $puppetdb_service_status ? { /(running|true)/ => true, /(stopped|false)/ => false, default => fail("puppetdb_service_status valid values are 'true', 'running', 'false', and 'stopped'. You provided '${puppetdb_service_status}'"), } # Validate database type (Currently only postgres and embedded are supported) if !($database in ['postgres', 'embedded']) { fail("database must must be 'postgres' or 'embedded'. You provided '${database}'") } # Validate read-database type (Currently only postgres is supported) if !($read_database in ['postgres']) { fail("read_database must be 'postgres'. You provided '${read_database}'") } package { $puppetdb_package: ensure => $puppetdb::params::puppetdb_version, notify => Service[$puppetdb_service], } if $manage_firewall { class { 'puppetdb::server::firewall': http_port => $listen_port, open_http_port => $open_listen_port, ssl_port => $ssl_listen_port, open_ssl_port => $open_ssl_listen_port, } } class { 'puppetdb::server::global': vardir => $vardir, confdir => $confdir, puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, notify => Service[$puppetdb_service], } class { 'puppetdb::server::command_processing': command_threads => $command_threads, concurrent_writes => $concurrent_writes, store_usage => $store_usage, temp_usage => $temp_usage, confdir => $confdir, notify => Service[$puppetdb_service], } class { 'puppetdb::server::database': - database => $database, - database_host => $database_host, - database_port => $database_port, - database_username => $database_username, - database_password => $database_password, - database_name => $database_name, - manage_db_password => $manage_db_password, - database_max_pool_size => $database_max_pool_size, - jdbc_ssl_properties => $jdbc_ssl_properties, - database_validate => $database_validate, - database_embedded_path => $database_embedded_path, - node_ttl => $node_ttl, - node_purge_ttl => $node_purge_ttl, - report_ttl => $report_ttl, - facts_blacklist => $facts_blacklist, - gc_interval => $gc_interval, - log_slow_statements => $log_slow_statements, - conn_max_age => $conn_max_age, - conn_keep_alive => $conn_keep_alive, - conn_lifetime => $conn_lifetime, - confdir => $confdir, - puppetdb_user => $puppetdb_user, - puppetdb_group => $puppetdb_group, - notify => Service[$puppetdb_service], + database => $database, + database_host => $database_host, + database_port => $database_port, + database_username => $database_username, + database_password => $database_password, + database_name => $database_name, + manage_db_password => $manage_db_password, + database_max_pool_size => $database_max_pool_size, + jdbc_ssl_properties => $jdbc_ssl_properties, + database_validate => $database_validate, + database_embedded_path => $database_embedded_path, + node_ttl => $node_ttl, + node_purge_ttl => $node_purge_ttl, + report_ttl => $report_ttl, + facts_blacklist => $facts_blacklist, + gc_interval => $gc_interval, + node_purge_gc_batch_limit => $node_purge_gc_batch_limit, + log_slow_statements => $log_slow_statements, + conn_max_age => $conn_max_age, + conn_keep_alive => $conn_keep_alive, + conn_lifetime => $conn_lifetime, + confdir => $confdir, + puppetdb_user => $puppetdb_user, + puppetdb_group => $puppetdb_group, + notify => Service[$puppetdb_service], } class { 'puppetdb::server::read_database': database => $read_database, database_host => $read_database_host, database_port => $read_database_port, database_username => $read_database_username, database_password => $read_database_password, database_name => $read_database_name, manage_db_password => $manage_read_db_password, jdbc_ssl_properties => $read_database_jdbc_ssl_properties, database_validate => $read_database_validate, log_slow_statements => $read_log_slow_statements, conn_max_age => $read_conn_max_age, conn_keep_alive => $read_conn_keep_alive, conn_lifetime => $read_conn_lifetime, confdir => $confdir, puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, notify => Service[$puppetdb_service], database_max_pool_size => $read_database_max_pool_size, } if $ssl_deploy_certs { file { $ssl_dir: ensure => directory, owner => $puppetdb_user, group => $puppetdb_group, mode => '0700'; $ssl_key_path: ensure => file, content => $ssl_key, owner => $puppetdb_user, group => $puppetdb_group, mode => '0600', notify => Service[$puppetdb_service]; $ssl_cert_path: ensure => file, content => $ssl_cert, owner => $puppetdb_user, group => $puppetdb_group, mode => '0600', notify => Service[$puppetdb_service]; $ssl_ca_cert_path: ensure => file, content => $ssl_ca_cert, owner => $puppetdb_user, group => $puppetdb_group, mode => '0600', notify => Service[$puppetdb_service]; } } class { 'puppetdb::server::jetty': listen_address => $listen_address, listen_port => $listen_port, disable_cleartext => $disable_cleartext, ssl_listen_address => $ssl_listen_address, ssl_listen_port => $ssl_listen_port, ssl_set_cert_paths => $ssl_set_cert_paths, ssl_key_path => $ssl_key_path, ssl_cert_path => $ssl_cert_path, ssl_ca_cert_path => $ssl_ca_cert_path, ssl_protocols => $ssl_protocols, cipher_suites => $cipher_suites, disable_ssl => $disable_ssl, confdir => $confdir, max_threads => $max_threads, notify => Service[$puppetdb_service], puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, } class { 'puppetdb::server::puppetdb': certificate_whitelist_file => $certificate_whitelist_file, certificate_whitelist => $certificate_whitelist, disable_update_checking => $disable_update_checking, confdir => $confdir, puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, notify => Service[$puppetdb_service], } if !empty($java_args) { if $merge_default_java_args { create_resources( 'ini_subsetting', puppetdb::create_subsetting_resource_hash( $java_args, { ensure => present, section => '', key_val_separator => '=', path => $puppetdb::params::puppetdb_initconf, setting => 'JAVA_ARGS', require => Package[$puppetdb_package], notify => Service[$puppetdb_service], })) } else { ini_setting { 'java_args': ensure => present, section => '', path => $puppetdb::params::puppetdb_initconf, setting => 'JAVA_ARGS', require => Package[$puppetdb_package], notify => Service[$puppetdb_service], value => puppetdb::flatten_java_args($java_args), } } } if $automatic_dlo_cleanup { if $facts['systemd'] { # deploy a systemd timer + service to cleanup old reports # https://puppet.com/docs/puppetdb/5.2/maintain_and_tune.html#clean-up-the-dead-letter-office systemd::unit_file{'puppetdb-dlo-cleanup.service': content => epp("${module_name}/puppetdb-DLO-cleanup.service.epp", { 'puppetdb_user' => $puppetdb_user, 'puppetdb_group' => $puppetdb_group, 'vardir' => $vardir, 'dlo_max_age' => $dlo_max_age }), } -> systemd::unit_file{'puppetdb-dlo-cleanup.timer': content => epp("${module_name}/puppetdb-DLO-cleanup.timer.epp", {'cleanup_timer_interval' => $cleanup_timer_interval}), enable => true, active => true, } } else { cron { 'puppetdb-dlo-cleanup': ensure => 'present', minute => fqdn_rand(60), hour => fqdn_rand(24), monthday => '*', month => '*', weekday => '*', command => "/usr/bin/find ${vardir}/stockpile/discard/ -type f -mtime ${dlo_max_age} -delete", user => $puppetdb_user, } } } service { $puppetdb_service: ensure => $puppetdb_service_status, enable => $service_enabled, } if $manage_firewall { Package[$puppetdb_package] -> Class['puppetdb::server::firewall'] -> Class['puppetdb::server::global'] -> Class['puppetdb::server::command_processing'] -> Class['puppetdb::server::database'] -> Class['puppetdb::server::read_database'] -> Class['puppetdb::server::jetty'] -> Class['puppetdb::server::puppetdb'] -> Service[$puppetdb_service] } else { Package[$puppetdb_package] -> Class['puppetdb::server::global'] -> Class['puppetdb::server::command_processing'] -> Class['puppetdb::server::database'] -> Class['puppetdb::server::read_database'] -> Class['puppetdb::server::jetty'] -> Class['puppetdb::server::puppetdb'] -> Service[$puppetdb_service] } } diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 36c50a4..98b523b 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -1,189 +1,195 @@ # PRIVATE CLASS - do not use directly class puppetdb::server::database ( $database = $puppetdb::params::database, $database_host = $puppetdb::params::database_host, $database_port = $puppetdb::params::database_port, $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, $manage_db_password = $puppetdb::params::manage_db_password, $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties, $database_validate = $puppetdb::params::database_validate, $database_embedded_path = $puppetdb::params::database_embedded_path, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, $facts_blacklist = $puppetdb::params::facts_blacklist, $gc_interval = $puppetdb::params::gc_interval, + $node_purge_gc_batch_limit = $puppetdb::params::node_purge_gc_batch_limit, $log_slow_statements = $puppetdb::params::log_slow_statements, $conn_max_age = $puppetdb::params::conn_max_age, $conn_keep_alive = $puppetdb::params::conn_keep_alive, $conn_lifetime = $puppetdb::params::conn_lifetime, $confdir = $puppetdb::params::confdir, $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, $database_max_pool_size = $puppetdb::params::database_max_pool_size, ) inherits puppetdb::params { if str2bool($database_validate) { # Validate the database connection. If we can't connect, we want to fail # and skip the rest of the configuration, so that we don't leave puppetdb # in a broken state. # # NOTE: # Because of a limitation in the postgres module this will break with # a duplicate declaration if read and write database host+name are the # same. class { 'puppetdb::server::validate_db': database => $database, database_host => $database_host, database_port => $database_port, database_username => $database_username, database_password => $database_password, database_name => $database_name, } } $database_ini = "${confdir}/database.ini" file { $database_ini: ensure => file, owner => $puppetdb_user, group => $puppetdb_group, mode => '0600', } $file_require = File[$database_ini] $ini_setting_require = str2bool($database_validate) ? { false => $file_require, default => [$file_require, Class['puppetdb::server::validate_db']], } # Set the defaults Ini_setting { path => $database_ini, ensure => present, section => 'database', require => $ini_setting_require } if $database == 'embedded' { $classname = 'org.hsqldb.jdbcDriver' $subprotocol = 'hsqldb' $subname = "file:${database_embedded_path};hsqldb.tx=mvcc;sql.syntax_pgs=true" } elsif $database == 'postgres' { $classname = 'org.postgresql.Driver' $subprotocol = 'postgresql' if !empty($jdbc_ssl_properties) { $database_suffix = $jdbc_ssl_properties } else { $database_suffix = '' } $subname = "//${database_host}:${database_port}/${database_name}${database_suffix}" ##Only setup for postgres ini_setting {'puppetdb_psdatabase_username': setting => 'username', value => $database_username, } if $database_password != undef and $manage_db_password { ini_setting {'puppetdb_psdatabase_password': setting => 'password', value => $database_password, } } } ini_setting { 'puppetdb_classname': setting => 'classname', value => $classname, } ini_setting { 'puppetdb_subprotocol': setting => 'subprotocol', value => $subprotocol, } ini_setting { 'puppetdb_pgs': setting => 'syntax_pgs', value => true, } ini_setting { 'puppetdb_subname': setting => 'subname', value => $subname, } ini_setting { 'puppetdb_gc_interval': setting => 'gc-interval', value => $gc_interval, } + ini_setting { 'puppetdb_node_purge_gc_batch_limit': + setting => 'node-purge-gc-batch-limit', + value => $node_purge_gc_batch_limit, + } + ini_setting { 'puppetdb_node_ttl': setting => 'node-ttl', value => $node_ttl, } ini_setting { 'puppetdb_node_purge_ttl': setting => 'node-purge-ttl', value => $node_purge_ttl, } ini_setting { 'puppetdb_report_ttl': setting => 'report-ttl', value => $report_ttl, } ini_setting { 'puppetdb_log_slow_statements': setting => 'log-slow-statements', value => $log_slow_statements, } ini_setting { 'puppetdb_conn_max_age': setting => 'conn-max-age', value => $conn_max_age, } ini_setting { 'puppetdb_conn_keep_alive': setting => 'conn-keep-alive', value => $conn_keep_alive, } ini_setting { 'puppetdb_conn_lifetime': setting => 'conn-lifetime', value => $conn_lifetime, } if $puppetdb::params::database_max_pool_size_setting_name != undef { if $database_max_pool_size == 'absent' { ini_setting { 'puppetdb_database_max_pool_size': ensure => absent, setting => $puppetdb::params::database_max_pool_size_setting_name, } } elsif $database_max_pool_size != undef { ini_setting { 'puppetdb_database_max_pool_size': setting => $puppetdb::params::database_max_pool_size_setting_name, value => $database_max_pool_size, } } } if ($facts_blacklist) and length($facts_blacklist) != 0 { $joined_facts_blacklist = join($facts_blacklist, ', ') ini_setting { 'puppetdb_facts_blacklist': setting => 'facts-blacklist', value => $joined_facts_blacklist, } } else { ini_setting { 'puppetdb_facts_blacklist': ensure => absent, setting => 'facts-blacklist', } } }