pupistry 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +13 -1
- data/{bin → exe}/pupistry +45 -76
- data/lib/pupistry.rb +1 -1
- data/lib/pupistry/agent.rb +40 -60
- data/lib/pupistry/artifact.rb +136 -172
- data/lib/pupistry/bootstrap.rb +30 -35
- data/lib/pupistry/config.rb +59 -31
- data/lib/pupistry/gpg.rb +71 -102
- data/lib/pupistry/storage_aws.rb +56 -61
- data/lib/pupistry/version.rb +3 -0
- data/resources/aws/cfn_pupistry_bucket_and_iam.template +11 -1
- data/resources/packer/amazon_linux.json +17 -0
- data/resources/packer/test_user_data.txt +33 -0
- metadata +92 -5
data/lib/pupistry/artifact.rb
CHANGED
@@ -1,5 +1,7 @@
|
|
1
|
+
# rubocop:disable Style/Documentation, Style/GlobalVars
|
1
2
|
require 'rubygems'
|
2
3
|
require 'yaml'
|
4
|
+
require 'safe_yaml'
|
3
5
|
require 'time'
|
4
6
|
require 'digest'
|
5
7
|
require 'fileutils'
|
@@ -12,13 +14,12 @@ module Pupistry
|
|
12
14
|
# All the functions needed for manipulating the artifats
|
13
15
|
attr_accessor :checksum
|
14
16
|
|
15
|
-
|
16
17
|
def fetch_r10k
|
17
|
-
$logger.info
|
18
|
+
$logger.info 'Using r10k utility to fetch the latest Puppet code'
|
18
19
|
|
19
|
-
unless defined? $config[
|
20
|
-
$logger.fatal
|
21
|
-
|
20
|
+
unless defined? $config['build']['puppetcode']
|
21
|
+
$logger.fatal 'You must configure the build:puppetcode config option in settings.yaml'
|
22
|
+
fail 'Invalid Configuration'
|
22
23
|
end
|
23
24
|
|
24
25
|
# https://github.com/puppetlabs/r10k
|
@@ -33,53 +34,50 @@ module Pupistry
|
|
33
34
|
# doable and much more polished approach. For now the MVP is to just run
|
34
35
|
# it via system, pull requests/patches to fix very welcome!
|
35
36
|
|
36
|
-
|
37
37
|
# Build the r10k config to instruct it to use our cache path for storing
|
38
38
|
# it's data and exporting the finished result.
|
39
|
-
$logger.debug
|
39
|
+
$logger.debug 'Generating an r10k configuration file...'
|
40
40
|
r10k_config = {
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
41
|
+
'cachedir' => "#{$config['general']['app_cache']}/r10kcache",
|
42
|
+
'sources' => {
|
43
|
+
'puppet' => {
|
44
|
+
'remote' => $config['build']['puppetcode'],
|
45
|
+
'basedir' => $config['general']['app_cache'] + '/puppetcode'
|
46
46
|
}
|
47
47
|
}
|
48
48
|
}
|
49
49
|
|
50
50
|
begin
|
51
|
-
File.open("#{$config[
|
52
|
-
fh.write YAML
|
51
|
+
File.open("#{$config['general']['app_cache']}/r10kconfig.yaml", 'w') do |fh|
|
52
|
+
fh.write YAML.dump(r10k_config)
|
53
53
|
end
|
54
|
-
rescue
|
55
|
-
$logger.fatal
|
54
|
+
rescue StandardError => e
|
55
|
+
$logger.fatal 'Unexpected error when trying to write the r10k configuration file'
|
56
56
|
raise e
|
57
57
|
end
|
58
58
|
|
59
|
-
|
60
59
|
# Execute R10k with the provided configuration
|
61
|
-
$logger.debug
|
60
|
+
$logger.debug 'Executing r10k'
|
62
61
|
|
63
|
-
if system "r10k deploy environment -c #{$config[
|
64
|
-
$logger.info
|
62
|
+
if system "r10k deploy environment -c #{$config['general']['app_cache']}/r10kconfig.yaml -pv debug"
|
63
|
+
$logger.info 'r10k run completed'
|
65
64
|
else
|
66
|
-
$logger.error
|
67
|
-
|
65
|
+
$logger.error 'r10k run failed, unable to generate artifact'
|
66
|
+
fail 'r10k run did not complete, unable to generate artifact'
|
68
67
|
end
|
69
|
-
|
70
68
|
end
|
71
69
|
|
72
70
|
def fetch_latest
|
73
71
|
# Fetch the latest S3 YAML file and check the version metadata without writing
|
74
72
|
# it to disk. Returns the version. Useful for quickly checking for updates :-)
|
75
73
|
|
76
|
-
$logger.debug
|
74
|
+
$logger.debug 'Checking latest artifact version...'
|
77
75
|
|
78
|
-
s3 = Pupistry::
|
76
|
+
s3 = Pupistry::StorageAWS.new 'agent'
|
79
77
|
contents = s3.download 'manifest.latest.yaml'
|
80
78
|
|
81
79
|
if contents
|
82
|
-
manifest = YAML
|
80
|
+
manifest = YAML.load(contents, safe: true, raise_on_unknown_tag: true)
|
83
81
|
|
84
82
|
if defined? manifest['version']
|
85
83
|
# We have a manifest version supplied, however since the manifest
|
@@ -93,8 +91,8 @@ module Pupistry
|
|
93
91
|
if /^[A-Za-z0-9]{32}$/.match(manifest['version'])
|
94
92
|
return manifest['version']
|
95
93
|
else
|
96
|
-
$logger.error
|
97
|
-
$logger.error
|
94
|
+
$logger.error 'Manifest version returned from S3 manifest.latest.yaml did not match expected regex of MD5.'
|
95
|
+
$logger.error 'Possible bug or security incident, investigate with care!'
|
98
96
|
$logger.error "Returned version string was: \"#{manifest['version']}\""
|
99
97
|
exit 0
|
100
98
|
end
|
@@ -106,50 +104,44 @@ module Pupistry
|
|
106
104
|
# download did not work
|
107
105
|
return false
|
108
106
|
end
|
109
|
-
|
110
|
-
|
111
107
|
end
|
112
108
|
|
113
|
-
|
114
109
|
def fetch_current
|
115
110
|
# Fetch the latest on-disk YAML file and check the version metadata, used
|
116
111
|
# to determine the latest artifact that has not yet been pushed to S3.
|
117
112
|
# Returns the version.
|
118
113
|
|
119
114
|
# Read the symlink information to get the latest version
|
120
|
-
if File.
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
115
|
+
if File.exist?($config['general']['app_cache'] + '/artifacts/manifest.latest.yaml')
|
116
|
+
manifest = YAML.load(File.open($config['general']['app_cache'] + '/artifacts/manifest.latest.yaml'), safe: true, raise_on_unknown_tag: true)
|
117
|
+
@checksum = manifest['version']
|
118
|
+
else
|
119
|
+
$logger.error 'No artifact has been built yet. You need to run pupistry build first?'
|
120
|
+
return false
|
121
|
+
end
|
127
122
|
end
|
128
123
|
|
129
|
-
|
130
124
|
def fetch_installed
|
131
125
|
# Fetch the current version that is installed.
|
132
|
-
|
126
|
+
|
133
127
|
# Make sure the Puppetcode install directory exists
|
134
|
-
unless Dir.
|
135
|
-
$logger.warn "The destination path of #{$config[
|
128
|
+
unless Dir.exist?($config['agent']['puppetcode'])
|
129
|
+
$logger.warn "The destination path of #{$config['agent']['puppetcode']} does not appear to exist or is not readable"
|
136
130
|
return false
|
137
131
|
end
|
138
132
|
|
139
133
|
# Look for a manifest file in the directory and read the version from it.
|
140
|
-
if File.
|
141
|
-
manifest = YAML
|
134
|
+
if File.exist?($config['agent']['puppetcode'] + '/manifest.pupistry.yaml')
|
135
|
+
manifest = YAML.load(File.open($config['agent']['puppetcode'] + '/manifest.pupistry.yaml'), safe: true, raise_on_unknown_tag: true)
|
142
136
|
|
143
137
|
return manifest['version']
|
144
138
|
else
|
145
|
-
$logger.warn
|
139
|
+
$logger.warn 'No current version installed'
|
146
140
|
return false
|
147
141
|
end
|
148
142
|
end
|
149
143
|
|
150
|
-
|
151
144
|
def fetch_artifact
|
152
|
-
|
153
145
|
# Figure out which version to fetch (if not explicitly defined)
|
154
146
|
if defined? @checksum
|
155
147
|
$logger.debug "Downloading artifact version #{@checksum}"
|
@@ -159,37 +151,32 @@ module Pupistry
|
|
159
151
|
if defined? @checksum
|
160
152
|
$logger.debug "Downloading latest artifact (#{@checksum})"
|
161
153
|
else
|
162
|
-
$logger.error
|
154
|
+
$logger.error 'There is not current artifact that can be fetched'
|
163
155
|
return false
|
164
156
|
end
|
165
157
|
|
166
158
|
end
|
167
159
|
|
168
160
|
# Make sure the download dir/cache exists
|
169
|
-
unless Dir.
|
170
|
-
FileUtils.mkdir_p $config["general"]["app_cache"] + "/artifacts/"
|
171
|
-
end
|
161
|
+
FileUtils.mkdir_p $config['general']['app_cache'] + '/artifacts/' unless Dir.exist?($config['general']['app_cache'] + '/artifacts/')
|
172
162
|
|
173
163
|
# Download files if they don't already exist
|
174
|
-
if File.
|
175
|
-
|
164
|
+
if File.exist?($config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml") &&
|
165
|
+
File.exist?($config['general']['app_cache'] + "/artifacts/artifact.#{@checksum}.tar.gz")
|
166
|
+
$logger.debug 'This artifact is already present, no download required.'
|
176
167
|
else
|
177
|
-
s3 = Pupistry::
|
178
|
-
s3.download "manifest.#{@checksum}.yaml", $config[
|
179
|
-
s3.download "artifact.#{@checksum}.tar.gz", $config[
|
168
|
+
s3 = Pupistry::StorageAWS.new 'agent'
|
169
|
+
s3.download "manifest.#{@checksum}.yaml", $config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml"
|
170
|
+
s3.download "artifact.#{@checksum}.tar.gz", $config['general']['app_cache'] + "/artifacts/artifact.#{@checksum}.tar.gz"
|
180
171
|
end
|
181
|
-
|
182
172
|
end
|
183
173
|
|
184
|
-
|
185
|
-
|
186
174
|
def push_artifact
|
187
175
|
# The push step involves 2 steps:
|
188
176
|
# 1. GPG sign the artifact and write it into the manifest file
|
189
177
|
# 2. Upload the manifest and archive files to S3.
|
190
178
|
# 3. Upload a copy as the "latest" manifest file which will be hit by clients.
|
191
179
|
|
192
|
-
|
193
180
|
# Determine which version we are uploading. Either one specifically
|
194
181
|
# selected, otherwise find the latest one to push
|
195
182
|
|
@@ -206,65 +193,60 @@ module Pupistry
|
|
206
193
|
end
|
207
194
|
end
|
208
195
|
|
209
|
-
|
210
196
|
# Do we even need to upload? If nothing has changed....
|
211
197
|
if @checksum == fetch_latest
|
212
198
|
$logger.error "You've already pushed this artifact version, nothing to do."
|
213
199
|
exit 0
|
214
200
|
end
|
215
201
|
|
216
|
-
|
217
202
|
# Make sure the files actually exist...
|
218
|
-
unless File.
|
203
|
+
unless File.exist?($config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml")
|
219
204
|
$logger.error "The files expected for #{@checksum} do not appear to exist or are not readable"
|
220
|
-
|
205
|
+
fail 'Fatal unexpected error'
|
221
206
|
end
|
222
207
|
|
223
|
-
unless File.
|
208
|
+
unless File.exist?($config['general']['app_cache'] + "/artifacts/artifact.#{@checksum}.tar.gz")
|
224
209
|
$logger.error "The files expected for #{@checksum} do not appear to exist or are not readable"
|
225
|
-
|
210
|
+
fail 'Fatal unexpected error'
|
226
211
|
end
|
227
212
|
|
228
|
-
|
229
213
|
# GPG sign the files
|
230
|
-
if $config[
|
231
|
-
$logger.warn
|
232
|
-
$logger.warn
|
214
|
+
if $config['general']['gpg_disable'] == true
|
215
|
+
$logger.warn 'You have GPG signing *disabled*, whilst not critical it does weaken your security.'
|
216
|
+
$logger.warn 'Skipping signing step...'
|
233
217
|
else
|
234
218
|
|
235
219
|
gpgsig = Pupistry::GPG.new @checksum
|
236
220
|
|
237
221
|
# Sign the artifact
|
238
222
|
unless gpgsig.artifact_sign
|
239
|
-
$logger.fatal
|
223
|
+
$logger.fatal 'Unable to proceed with an unsigned artifact'
|
240
224
|
exit 0
|
241
225
|
end
|
242
226
|
|
243
227
|
# Verify the signature - we want to make sure what we've just signed
|
244
228
|
# can actually be validated properly :-)
|
245
229
|
unless gpgsig.artifact_verify
|
246
|
-
$logger.fatal
|
230
|
+
$logger.fatal 'Whilst a signature was generated, it was unable to be validated. This would suggest a bug of some kind.'
|
247
231
|
exit 0
|
248
232
|
end
|
249
233
|
|
250
234
|
# Save the signature to the manifest
|
251
235
|
unless gpgsig.signature_save
|
252
|
-
$logger.fatal
|
236
|
+
$logger.fatal 'Unable to write the signature into the manifest file for the artifact.'
|
253
237
|
exit 0
|
254
238
|
end
|
255
239
|
|
256
240
|
end
|
257
241
|
|
258
|
-
|
259
|
-
# Upload the artifact & manifests to S3. We also make an additional copy
|
242
|
+
# Upload the artifact & manifests to S3. We also make an additional copy
|
260
243
|
# as the "latest" file which will be downloaded by all the agents checking
|
261
244
|
# for new updates.
|
262
245
|
|
263
|
-
s3 = Pupistry::
|
264
|
-
s3.upload $config[
|
265
|
-
s3.upload $config[
|
266
|
-
s3.upload $config[
|
267
|
-
|
246
|
+
s3 = Pupistry::StorageAWS.new 'build'
|
247
|
+
s3.upload $config['general']['app_cache'] + "/artifacts/artifact.#{@checksum}.tar.gz", "artifact.#{@checksum}.tar.gz"
|
248
|
+
s3.upload $config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml", "manifest.#{@checksum}.yaml"
|
249
|
+
s3.upload $config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml", 'manifest.latest.yaml'
|
268
250
|
|
269
251
|
# Test a read of the manifest, we do this to make sure the S3 ACLs setup
|
270
252
|
# allow downloading of the uploaded files - helps avoid user headaches if
|
@@ -273,7 +255,7 @@ module Pupistry
|
|
273
255
|
# Only worth doing this step if they've explicitly set their AWS IAM credentials
|
274
256
|
# for the agent, which should be everyone except for IAM role users.
|
275
257
|
|
276
|
-
if $config[
|
258
|
+
if $config['agent']['access_key_id']
|
277
259
|
fetch_artifact
|
278
260
|
else
|
279
261
|
$logger.warn "The agent's AWS credentials are unset on this machine, unable to do download test to check permissions for you."
|
@@ -282,7 +264,6 @@ module Pupistry
|
|
282
264
|
|
283
265
|
$logger.info "Upload of artifact version #{@checksum} completed and is now latest"
|
284
266
|
end
|
285
|
-
|
286
267
|
|
287
268
|
def build_artifact
|
288
269
|
# r10k has done all the heavy lifting for us, we just need to generate a
|
@@ -292,10 +273,9 @@ module Pupistry
|
|
292
273
|
# the file. Like r10k, if you want to convert to a nicely polished native
|
293
274
|
# Ruby solution, patches welcome.
|
294
275
|
|
295
|
-
$logger.info
|
296
|
-
|
297
|
-
Dir.chdir($config["general"]["app_cache"]) do
|
276
|
+
$logger.info 'Creating artifact...'
|
298
277
|
|
278
|
+
Dir.chdir($config['general']['app_cache']) do
|
299
279
|
# Make sure there is a directory to write artifacts into
|
300
280
|
FileUtils.mkdir_p('artifacts')
|
301
281
|
|
@@ -303,94 +283,93 @@ module Pupistry
|
|
303
283
|
# so that we can grab the checksum, since checksum will always differ
|
304
284
|
# post-compression.
|
305
285
|
unless system "tar -c --exclude '.git' -f artifacts/artifact.temp.tar puppetcode/*"
|
306
|
-
$logger.error
|
307
|
-
|
286
|
+
$logger.error 'Unable to create tarball'
|
287
|
+
fail 'An unexpected error occured when executing tar'
|
308
288
|
end
|
309
289
|
|
310
290
|
# The checksum is important, we use it as our version for each artifact
|
311
291
|
# so we can tell them apart in a unique way.
|
312
|
-
@checksum = Digest::MD5.file($config[
|
292
|
+
@checksum = Digest::MD5.file($config['general']['app_cache'] + '/artifacts/artifact.temp.tar').hexdigest
|
313
293
|
|
314
294
|
# Now we have the checksum, check if it's the same as any existing
|
315
295
|
# artifacts. If so, drop out here, good to give feedback to the user
|
316
296
|
# if nothing has changed since it's easy to forget to git push a single
|
317
297
|
# module/change.
|
318
298
|
|
319
|
-
if File.
|
299
|
+
if File.exist?($config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml")
|
320
300
|
$logger.error "This artifact version (#{@checksum}) has already been built, nothing todo."
|
321
301
|
$logger.error "Did you remember to \"git push\" your module changes?"
|
322
302
|
|
323
303
|
# Cleanup temp file
|
324
|
-
FileUtils.rm($config[
|
304
|
+
FileUtils.rm($config['general']['app_cache'] + '/artifacts/artifact.temp.tar')
|
325
305
|
exit 0
|
326
306
|
end
|
327
307
|
|
328
308
|
# Compress the artifact now that we have taken it's checksum
|
329
|
-
$logger.info
|
309
|
+
$logger.info 'Compressing artifact...'
|
330
310
|
|
331
|
-
if system
|
311
|
+
if system 'gzip artifacts/artifact.temp.tar'
|
332
312
|
else
|
333
|
-
$logger.error
|
334
|
-
|
313
|
+
$logger.error 'An unexpected error occured during compression of the artifact'
|
314
|
+
fail 'An unexpected error occured during compression of the artifact'
|
335
315
|
end
|
336
316
|
end
|
337
317
|
|
338
|
-
|
339
318
|
# We have the checksum, so we can now rename the artifact file
|
340
|
-
FileUtils.mv($config[
|
319
|
+
FileUtils.mv($config['general']['app_cache'] + '/artifacts/artifact.temp.tar.gz',
|
320
|
+
$config['general']['app_cache'] + "/artifacts/artifact.#{@checksum}.tar.gz")
|
341
321
|
|
342
|
-
|
343
|
-
$logger.info "Building manifest information for artifact..."
|
322
|
+
$logger.info 'Building manifest information for artifact...'
|
344
323
|
|
345
324
|
# Create the manifest file, this is used by clients for pulling details about
|
346
325
|
# the latest artifacts. We don't GPG sign here, but we do put in a placeholder.
|
347
326
|
manifest = {
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
|
327
|
+
'version' => @checksum,
|
328
|
+
'date' => Time.new.inspect,
|
329
|
+
'builduser' => ENV['USER'] || 'unlabled',
|
330
|
+
'gpgsig' => 'unsigned'
|
352
331
|
}
|
353
332
|
|
354
333
|
begin
|
355
|
-
File.open("#{$config[
|
356
|
-
fh.write YAML
|
334
|
+
File.open("#{$config['general']['app_cache']}/artifacts/manifest.#{@checksum}.yaml", 'w') do |fh|
|
335
|
+
fh.write YAML.dump(manifest)
|
357
336
|
end
|
358
|
-
rescue
|
359
|
-
$logger.fatal
|
337
|
+
rescue StandardError => e
|
338
|
+
$logger.fatal 'Unexpected error when trying to write the manifest file'
|
360
339
|
raise e
|
361
340
|
end
|
362
341
|
|
363
342
|
# This is the latest artifact, create some symlinks pointing the latest to it
|
364
343
|
begin
|
365
|
-
FileUtils.ln_s("manifest.#{@checksum}.yaml",
|
366
|
-
|
367
|
-
|
368
|
-
|
344
|
+
FileUtils.ln_s("manifest.#{@checksum}.yaml",
|
345
|
+
"#{$config['general']['app_cache']}/artifacts/manifest.latest.yaml",
|
346
|
+
force: true)
|
347
|
+
FileUtils.ln_s("artifact.#{@checksum}.tar.gz",
|
348
|
+
"#{$config['general']['app_cache']}/artifacts/artifact.latest.tar.gz",
|
349
|
+
force: true)
|
350
|
+
rescue StandardError => e
|
351
|
+
$logger.fatal 'Something weird went really wrong trying to symlink the latest artifacts'
|
369
352
|
raise e
|
370
353
|
end
|
371
354
|
|
372
|
-
|
373
355
|
$logger.info "New artifact version #{@checksum} ready for pushing"
|
374
356
|
end
|
375
357
|
|
376
|
-
|
377
358
|
def unpack
|
378
359
|
# Unpack the currently selected artifact to the archives directory.
|
379
|
-
|
360
|
+
|
380
361
|
# An application version must be specified
|
381
|
-
unless defined? @checksum
|
382
|
-
raise "Application bug, trying to unpack no artifact"
|
383
|
-
end
|
362
|
+
fail 'Application bug, trying to unpack no artifact' unless defined? @checksum
|
384
363
|
|
385
364
|
# Make sure the files actually exist...
|
386
|
-
unless File.
|
365
|
+
unless File.exist?($config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml")
|
387
366
|
$logger.error "The files expected for #{@checksum} do not appear to exist or are not readable"
|
388
|
-
|
367
|
+
fail 'Fatal unexpected error'
|
389
368
|
end
|
390
369
|
|
391
|
-
unless File.
|
370
|
+
unless File.exist?($config['general']['app_cache'] + "/artifacts/artifact.#{@checksum}.tar.gz")
|
392
371
|
$logger.error "The files expected for #{@checksum} do not appear to exist or are not readable"
|
393
|
-
|
372
|
+
fail 'Fatal unexpected error'
|
394
373
|
end
|
395
374
|
|
396
375
|
# Clean up an existing unpacked copy - in *theory* it should be same, but
|
@@ -399,73 +378,64 @@ module Pupistry
|
|
399
378
|
clean_unpack
|
400
379
|
|
401
380
|
# Unpack the archive file
|
402
|
-
FileUtils.mkdir_p($config[
|
403
|
-
Dir.chdir($config[
|
404
|
-
|
405
|
-
unless system "tar -xf ../artifact.#{@checksum}.tar.gz"
|
406
|
-
$logger.error "Unable to unpack artifact files to #{Dir.pwd}"
|
407
|
-
raise "An unexpected error occured when executing tar"
|
408
|
-
else
|
381
|
+
FileUtils.mkdir_p($config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}")
|
382
|
+
Dir.chdir($config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}") do
|
383
|
+
if system "tar -xf ../artifact.#{@checksum}.tar.gz"
|
409
384
|
$logger.debug "Successfully unpacked artifact #{@checksum}"
|
385
|
+
else
|
386
|
+
$logger.error "Unable to unpack artifact files to #{Dir.pwd}"
|
387
|
+
fail 'An unexpected error occured when executing tar'
|
410
388
|
end
|
411
389
|
end
|
412
|
-
|
413
390
|
end
|
414
391
|
|
415
|
-
|
416
392
|
def install
|
417
393
|
# Copy the unpacked artifact into the agent's configured location. Generally all the
|
418
394
|
# heavy lifting is done by fetch_latest and unpack methods.
|
419
395
|
|
420
396
|
# An application version must be specified
|
421
|
-
unless defined? @checksum
|
422
|
-
raise "Application bug, trying to install no artifact"
|
423
|
-
end
|
397
|
+
fail 'Application bug, trying to install no artifact' unless defined? @checksum
|
424
398
|
|
425
399
|
# Validate the artifact if GPG is enabled.
|
426
|
-
if $config[
|
427
|
-
$logger.warn
|
428
|
-
$logger.warn
|
400
|
+
if $config['general']['gpg_disable'] == true
|
401
|
+
$logger.warn 'You have GPG validation *disabled*, whilst not critical it does weaken your security.'
|
402
|
+
$logger.warn 'Skipping validation step...'
|
429
403
|
else
|
430
404
|
|
431
405
|
gpgsig = Pupistry::GPG.new @checksum
|
432
406
|
|
433
407
|
unless gpgsig.artifact_verify
|
434
|
-
$logger.fatal
|
435
|
-
|
408
|
+
$logger.fatal 'The GPG signature could not be validated for the artifact. This could be a bug, a file corruption or a POSSIBLE SECURITY ISSUE such as maliciously modified content.'
|
409
|
+
fail 'Fatal unexpected error'
|
436
410
|
end
|
437
411
|
|
438
412
|
end
|
439
413
|
|
440
|
-
|
441
414
|
# Make sure the artifact has been unpacked
|
442
|
-
unless Dir.
|
415
|
+
unless Dir.exist?($config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}")
|
443
416
|
$logger.error "The unpacked directory expected for #{@checksum} does not appear to exist or is not readable"
|
444
|
-
|
417
|
+
fail 'Fatal unexpected error'
|
445
418
|
end
|
446
419
|
|
447
420
|
# Purge any currently installed files in the directory. See clean_install
|
448
|
-
# TODO notes for how this could be improved.
|
449
|
-
unless clean_install
|
450
|
-
$logger.error "Installation not proceeduing due to issues cleaning/prepping destination dir"
|
451
|
-
end
|
421
|
+
# TODO: notes for how this could be improved.
|
422
|
+
$logger.error 'Installation not proceeding due to issues cleaning/prepping destination dir' unless clean_install
|
452
423
|
|
453
424
|
# Make sure the destination directory exists
|
454
|
-
unless Dir.
|
455
|
-
$logger.error "The destination path of #{$config[
|
456
|
-
|
425
|
+
unless Dir.exist?($config['agent']['puppetcode'])
|
426
|
+
$logger.error "The destination path of #{$config['agent']['puppetcode']} does not appear to exist or is not readable"
|
427
|
+
fail 'Fatal unexpected error'
|
457
428
|
end
|
458
|
-
|
429
|
+
|
459
430
|
# Clone unpacked contents to the installation directory
|
460
431
|
begin
|
461
|
-
FileUtils.cp_r $config[
|
462
|
-
FileUtils.cp
|
432
|
+
FileUtils.cp_r $config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}/puppetcode/.", $config['agent']['puppetcode']
|
433
|
+
FileUtils.cp $config['general']['app_cache'] + "/artifacts/manifest.#{@checksum}.yaml", $config['agent']['puppetcode'] + '/manifest.pupistry.yaml'
|
463
434
|
return true
|
464
435
|
rescue
|
465
|
-
$logger.fatal "An unexpected error occured when copying the unpacked artifact to #{$config[
|
436
|
+
$logger.fatal "An unexpected error occured when copying the unpacked artifact to #{$config['agent']['puppetcode']}"
|
466
437
|
raise e
|
467
438
|
end
|
468
|
-
|
469
439
|
end
|
470
440
|
|
471
441
|
def clean_install
|
@@ -476,49 +446,43 @@ module Pupistry
|
|
476
446
|
# TODO: Do this smarter, we should track what files we drop in, and then remove
|
477
447
|
# any that weren't touched. Need to avoid rsync and stick with native to make
|
478
448
|
# support easier for weird/minimilistic distributions.
|
479
|
-
|
480
|
-
if defined? $config[
|
481
|
-
if $config[
|
449
|
+
|
450
|
+
if defined? $config['agent']['puppetcode'] # rubocop:disable Style/GuardClause
|
451
|
+
if $config['agent']['puppetcode'].empty?
|
482
452
|
$logger.error "You must configure a location for the agent's Puppet code to be deployed to"
|
483
453
|
return false
|
484
454
|
else
|
485
|
-
$logger.debug "Cleaning up #{$config[
|
455
|
+
$logger.debug "Cleaning up #{$config['agent']['puppetcode']} directory"
|
486
456
|
|
487
|
-
if Dir.
|
488
|
-
FileUtils.rm_r Dir.glob($config[
|
457
|
+
if Dir.exist?($config['agent']['puppetcode'])
|
458
|
+
FileUtils.rm_r Dir.glob($config['agent']['puppetcode'] + '/*'), secure: true
|
489
459
|
else
|
490
|
-
FileUtils.mkdir_p $config[
|
491
|
-
FileUtils.chmod(0700, $config[
|
460
|
+
FileUtils.mkdir_p $config['agent']['puppetcode']
|
461
|
+
FileUtils.chmod(0700, $config['agent']['puppetcode'])
|
492
462
|
end
|
493
463
|
|
494
464
|
return true
|
495
465
|
end
|
496
466
|
end
|
497
|
-
|
498
467
|
end
|
499
468
|
|
500
|
-
|
501
469
|
def clean_unpack
|
502
470
|
# Cleanup/remove any unpacked archive directories. Requires that the
|
503
471
|
# checksum be set to the version to be purged.
|
504
472
|
|
505
|
-
unless defined? @checksum
|
506
|
-
raise "Application bug, trying to unpack no artifact"
|
507
|
-
end
|
473
|
+
fail 'Application bug, trying to unpack no artifact' unless defined? @checksum
|
508
474
|
|
509
|
-
if Dir.
|
510
|
-
$logger.debug "Cleaning up #{$config[
|
511
|
-
FileUtils.rm_r $config[
|
475
|
+
if Dir.exist?($config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}/")
|
476
|
+
$logger.debug "Cleaning up #{$config['general']['app_cache']}/artifacts/unpacked.#{@checksum}..."
|
477
|
+
FileUtils.rm_r $config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}", secure: true
|
512
478
|
return true
|
513
479
|
else
|
514
|
-
$logger.debug
|
480
|
+
$logger.debug 'Nothing to cleanup (selected artifact is not currently unpacked)'
|
515
481
|
return true
|
516
482
|
end
|
517
483
|
|
518
|
-
|
519
|
-
|
484
|
+
false
|
520
485
|
end
|
521
|
-
|
522
486
|
end
|
523
487
|
end
|
524
488
|
|