(node/rucio01.ls.lsst.org) deploy rucio

hieradata/node/rucio01.ls.lsst.org.yaml

@@ -0,0 +1,26 @@
+---
+nm::connections:
+  ens192:
+    content:
+      connection:
+        id: "ens192"
+        uuid: "fa2c1b82-c58c-3411-bdca-b701a08e2cc0"
+        type: "ethernet"
+        interface-name: "ens192"
+      ethernet: {}
+      ipv4:
+        method: "auto"
+      ipv6:
+        method: "disabled"
+      proxy: {}
+
+nfs::client_enabled: true
+nfs::client_mounts:
+  /repo/LATISS:
+    share: "/auxtel/repo/LATISS"
+    server: "nfs-auxtel.ls.lsst.org"
+    atboot: true
+  /datasets:
+    share: "/lsstdata"
+    server: "nfs-lsstdata.ls.lsst.org"
+    atboot: true

hieradata/role/rucio.yaml

@@ -1,12 +1,32 @@
 ---
 classes:
   - "profile::core::common"
-  - "profile::core::debugutils"
+  - "profile::core::firewall"
+  - "profile::core::nfsclient"
   - "profile::core::rucio"
-  - "python"
 
-python::version: "python36"
-python::pip: "present"
-python::dev: "present"
-python::virtualenv: "present"
-profile::core::common::manage_firewall: false
+profile::core::firewall::firewall:
+  "254 accept incoming on port 1094 from SLAC subnet":
+    proto: "tcp"
+    state: "NEW"
+    dport: "1094"
+    source: "134.79.23.0/24"
+    jump: "accept"
+  "255 accept outgoing on port 1094 to SLAC subnet":
+    proto: "tcp"
+    state: "NEW"
+    sport: "1094"
+    destination: "134.79.23.0/24"
+    jump: "accept"
+  "256 accept incoming on port 1095 from SLAC subnet":
+    proto: "tcp"
+    state: "NEW"
+    dport: "1095"
+    source: "134.79.23.0/24"
+    jump: "accept"
+  "257 accept outgoing on port 1095 to SLAC subnet":
+    proto: "tcp"
+    state: "NEW"
+    sport: "1095"
+    destination: "134.79.23.0/24"
+    jump: "accept"

site/profile/manifests/core/rucio.pp

@@ -1,63 +1,38 @@
 # @summary
 #   Install required rucio packages
 #
-class profile::core::rucio () {
-  include profile::core::letsencrypt
-
-  #  Host FQDN
-  $fqdn = fact('networking.fqdn')
-
-  #  Define XRootD Path
-  $xrootd_path = '/opt/xrootd'
-
-  #  Define Yum Packages
-  $yum_packages = [
-    'gcc-c++',
-    'cmake3',
-    'krb5-devel',
-    'libuuid-devel',
-    'libxml2-devel',
-    'openssl-devel',
-    'systemd-devel',
-    'zlib-devel',
-    'devtoolset-7',
-    'xrootd',
-    'voms',
-  ]
-
-  #  Define PIP Packages
-  $pip_packages = [
-    'wheel',
-    'cryptography',
-    'rucio',
-  ]
-
-  #  Signed Certificate Location
-  $le_root = "/etc/letsencrypt/live/${fqdn}"
-
-  #  Generate and sign certificate
-  letsencrypt::certonly { $fqdn:
-    plugin      => 'dns-route53',
-    manage_cron => true,
+class profile::core::rucio {
+  yumrepo { 'xrootd-stable':
+    descr               => 'XRootD Stable Repository',
+    baseurl             => 'https://xrootd.web.cern.ch/repo/stable/el$releasever/$basearch',
+    skip_if_unavailable => 'true',
+    gpgcheck            => '1',
+    gpgkey              => 'https://xrootd.web.cern.ch/repo/RPM-GPG-KEY.txt',
+    enabled             => '1',
+    target              => '/etc/yum.repo.d/xrootd.repo',
   }
-
-  #  Copy the certificates into /etc/grid-security
-  -> cron::monthly { 'update_cert':
-    command => "/bin/rsync  -a --copy-links  --chown=xrootd:xrootd ${le_root}/cert.pem ${le_root}/chain.pem ${le_root}/fullchain.pem ${le_root}/privkey.pem /etc/grid-security/ /dev/null 2>&1",
-    user    => 'root',
-    hour    => 0,
-    minute  => 0,
-    date    => 1,
+  -> package { 'xrootd':
+    ensure => 'installed',
   }
-
-  #  Install Pip3 Packages
-  package { $pip_packages:
-    ensure   => 'present',
-    provider => 'pip3',
+  file { [
+      '/lib/systemd/system/[email protected]',
+      '/lib/systemd/system/[email protected]',
+    ]:
+      ensure => file,
+      mode   => '0644',
+      owner  => 'saluser',
+      group  => 'saluser',
   }
 
-  #  Install Yum Packages
-  package { $yum_packages:
-    ensure   => 'present',
+  file { [
+      '/etc/xrootd',
+      '/var/log/xrootd',
+      '/var/run/xrootd',
+      '/var/spool/xrootd',
+    ]:
+      ensure => directory,
+      mode   => '0644',
+      owner  => 'saluser',
+      group  => 'saluser',
   }
 }

spec/classes/core/rucio_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'profile::core::rucio' do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      it { is_expected.to compile.with_all_deps }
+
+      it do
+        is_expected.to contain_yumrepo('xrootd-stable').with(
+          descr: 'XRootD Stable Repository',
+          baseurl: 'https://xrootd.web.cern.ch/repo/stable/el$releasever/$basearch',
+          skip_if_unavailable: 'true',
+          gpgcheck: '1',
+          gpgkey: 'https://xrootd.web.cern.ch/repo/RPM-GPG-KEY.txt',
+          enabled: '1',
+          target: '/etc/yum.repo.d/xrootd.repo'
+        )
+      end
+
+      ['/lib/systemd/system/[email protected]', '/lib/systemd/system/[email protected]'].each do |path|
+        it do
+          is_expected.to contain_file(path).with(
+            ensure: 'file',
+            mode: '0644',
+            owner: 'saluser',
+            group: 'saluser'
+          )
+        end
+      end
+
+      ['/etc/xrootd', '/var/log/xrootd', '/var/run/xrootd', '/var/spool/xrootd'].each do |path|
+        it do
+          is_expected.to contain_file(path).with(
+            ensure: 'directory',
+            mode: '0644',
+            owner: 'saluser',
+            group: 'saluser'
+          )
+        end
+      end
+    end
+  end
+end

spec/hosts/nodes/rucio01.ls.lsst.org_spec.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'rucio01.ls.lsst.org', :sitepp do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) do
+        lsst_override_facts(os_facts,
+                            is_virtual: false,
+                            virtual: 'vmware',
+                            dmi: {
+                              'product' => {
+                                'name' => 'VMware7,1',
+                              },
+                            })
+      end
+      let(:node_params) do
+        {
+          role: 'rucio',
+          site: 'ls',
+        }
+      end
+
+      it { is_expected.to compile.with_all_deps }
+
+      include_context 'with nm interface'
+
+      it { is_expected.to have_nm__connection_resource_count(1) }
+
+      context 'with ens192' do
+        let(:interface) { 'ens192' }
+
+        it_behaves_like 'nm enabled interface'
+        it_behaves_like 'nm dhcp interface'
+        it_behaves_like 'nm ethernet interface'
+      end
+
+      it { is_expected.to contain_class('nfs').with_client_enabled(true) }
+
+      it do
+        is_expected.to contain_nfs__client__mount('/repo/LATISS').with(
+          share: '/auxtel/repo/LATISS',
+          server: 'nfs-auxtel.ls.lsst.org',
+          atboot: true
+        )
+      end
+
+      it do
+        is_expected.to contain_nfs__client__mount('/datasets').with(
+          share: '/lsstdata',
+          server: 'nfs-lsstdata.ls.lsst.org',
+          atboot: true
+        )
+      end
+    end
+  end # on os
+end # on_supported_os

spec/hosts/roles/rucio_spec.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+role = 'rucio'
+
+describe "#{role} role" do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      lsst_sites.each do |site|
+        describe "#{role}.#{site}.lsst.org", :sitepp do
+          let(:node_params) do
+            {
+              role:,
+              site:,
+            }
+          end
+          let(:facts) { lsst_override_facts(os_facts) }
+
+          it { is_expected.to compile.with_all_deps }
+        end # host
+      end # lsst_sites
+    end # on os
+  end # on_supported_os
+end # role