diff --git a/files/grid12.lal.in2p3.fr.lsc b/files/grid12.lal.in2p3.fr.lsc
new file mode 100644
index 0000000000000000000000000000000000000000..49b3668620ba81c8f2a31dffb5ded8c7e443ae5f
--- /dev/null
+++ b/files/grid12.lal.in2p3.fr.lsc
@@ -0,0 +1,2 @@
+/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr
+/C=FR/O=MENESR/OU=GRID-FR/CN=AC GRID-FR Services
diff --git a/files/vo.hess-experiment.eu b/files/vo.hess-experiment.eu
new file mode 100644
index 0000000000000000000000000000000000000000..b207d8210855136b7493ca7ef55cf1089672c6e6
--- /dev/null
+++ b/files/vo.hess-experiment.eu
@@ -0,0 +1,2 @@
+# https://grid12.lal.in2p3.fr:8443/voms/vo.hess-experiment.eu
+"vo.hess-experiment.eu" "grid12.lal.in2p3.fr" "20021" "/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=grid12.lal.in2p3.fr" "vo.hess-experiment.eu"
diff --git a/manifests/cache.pp b/manifests/cache.pp
new file mode 100644
index 0000000000000000000000000000000000000000..988c32f16c5e7c2d7af4b3e5b237e50d5a03e16a
--- /dev/null
+++ b/manifests/cache.pp
@@ -0,0 +1,62 @@
+#
+# Class to configure the ARC cache servers, aka data-delivery-service.
+#
+
+class arc::cache
+{
+ include x509certs::hostcert::gridcert
+ include x509certs::egi::lcg_cas
+ include arc::logdir
+ include arc::devs
+
+ # Install the packages
+ package {
+ [ 'nordugrid-arc-arex', # Needed for cache-clean
+ 'nordugrid-arc-datadelivery-service',
+ 'nordugrid-arc-plugins-globus',
+ 'nordugrid-arc-plugins-xrootd',
+ 'nordugrid-arc-plugins-gfal',
+ ]:
+ ensure => installed;
+ }
+
+ file {
+ '/etc/arc.conf':
+ ensure => file,
+ content => template('arc/arc.conf-cache.erb'),
+ owner => 'root', group => 'root', mode => '0444',
+ require => Package['nordugrid-arc-datadelivery-service'];
+ }
+
+ iptables {
+ arc-cache-server:
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ saddr => [
+ 'atlas.bluegrass.nsc.liu.se',
+ 'arctest.bluegrass.nsc.liu.se', ],
+ proto => 'tcp', dport => '60002',
+ target => 'ACCEPT',
+ comment => 'ARC Data Delivery Service';
+ }
+
+ service {
+ 'arc-datadelivery-service':
+ enable => true, ensure => $running,
+ hasstatus => true, hasrestart => true,
+ require => Class[arc::logdir],
+ subscribe => File['/etc/arc.conf'];
+ 'arc-arex':
+ enable => false, ensure => stopped;
+ 'arched':
+ enable => false, ensure => stopped;
+ }
+
+ cron {
+ cache-clean:
+ command => "/usr/libexec/arc/cache-clean -m90 -M95 -D INFO /export/cache >> $arc::logdir::logdir/cache-clean.log 2>&1",
+ user => 'root',
+ month => '*', monthday => '*', weekday => '*',
+ hour => '*', minute => '*/5';
+ }
+}
diff --git a/manifests/client.pp b/manifests/client.pp
new file mode 100644
index 0000000000000000000000000000000000000000..67ac5ac871dbb0dac9c3c0ecbb47a0264012c5c7
--- /dev/null
+++ b/manifests/client.pp
@@ -0,0 +1,21 @@
+#
+# Install the Nordugrid ARC client. Needs access to some kind of repo.
+# This class is not in use on Bluegrass at the moment and should be
+# synced with the arc.pp class on Babylon.
+#
+
+class arc::client
+{
+ include x509certs::egi::lcg_cas
+
+ package {
+ [
+ 'nordugrid-arc-client',
+ 'nordugrid-arc-plugins-globus',
+ 'nordugrid-arc-plugins-xrootd',
+ 'nordugrid-arc-plugins-gfal',
+ 'nordugrid-arc-doc',
+ ]:
+ ensure => installed;
+ }
+}
diff --git a/manifests/devs.pp b/manifests/devs.pp
new file mode 100644
index 0000000000000000000000000000000000000000..78a833d1977fbcfaa9431cbac6461da32c20eb12
--- /dev/null
+++ b/manifests/devs.pp
@@ -0,0 +1,73 @@
+#
+# Class to add some additional external users to the system.
+#
+# These are developers that sometimes needs to log in and take a peek.
+#
+
+class arc::devs
+{
+ # Activate debugging accounts for ARC developers and
+ # central NDGF staff. The actual users are added in
+ # users.pp as usual.
+
+ arc::devkeys {
+ 'maikenp':
+ key => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz6IKkS4HvNSPQgk0fGGPTHYT1lbKY2d9eAlfsOxOMydoyFWiRffgiJK+JSEB8w89/fWfNkscLj3sVbnA8kH/19EdrpWBs19R8m5SuK7CILoWz5gdc7EsZnF1qjJOYtqRs9+m2YnkfqKufwlnjdKUJBsPf73FHx4wYejdpKr24NO4H9X4Kbz1KtKwHeQmiFS+Yz1lfnXjXFuYb3VWvLO2Nb+pkC6yFFQU3pOTsgGuReCsTYOgCmuIIw97WoRLGH3CydjKbRaFhYs5Bvo1tDtEURLGPeMFL2cSt9cLIYrCT2PyyqNU4okkepOFrog7GedhQzBnF1E0WHN9e8pzFXWhr maikenp@purplerain.uio.no';
+ 'aleksandr':
+ key => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdSSGwij0EJsayOeuoSgC3sP47p/9o2yCIIS1SmIxDGJicyac9Vls7+9Ylnxju8bniT8hClV82EbmESFNRFfFqP8SGjQLXeFv/FpOprzx05OEkFhhv2vXW9njDwduyRQF4AdnAZRHS2/p6H2hS5UOEnXroUgWd9wrA0YLr9YUQNule4/6XqD0QKKBW/ai8HzBqZ0XDunYHk6PMny9atfaG6JJ3GxW06HMeMKJMT3M3/E3pOdD0Ye3NVqMIJTYhR0n2/qX5nxlQGwbh7Z4feZnzxX6LvQkNYDhlLfErQTQCC5BkyyTFve0vD6ZXC52tm1i+XLYw6vj4YDNPflnAKfBj akonstantinov@yahoo.com';
+ 'david':
+ key => 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp8ajIWbrLro2jztMP+ue0J/lW9OtEtBmWmSRGgfW4QQsJcBuYT+H1BDJh3cQLVXJ6vexThgTslu1ONIvwgxjGgARwu1BjT5K/e68d/Sd8JZirzpJLRRfU4ern6/UFt9uonaQtvAm/4Y2Ik1zGgClKARc8lAE/g544u7nFNuQpOHJVscrGwtj+vBR9A5klTLIAdlO2WHGjT9Zo+jKoxy1tDlJ0EOSFacgYqHRdEhVnAaIW1kEdDiEEVxwDqTNrDq+5QN0IlN7BpuvgsldByQ9EZJrUHCa+ApvP33QmRIQ728393BQsPtvsLZBn2zM+qppmIsSfGs3mVyUl0H31u6CLQ== dcameron@pcoslo4.cern.ch';
+ }
+
+ sudo::runas {
+ 'arcdevs':
+ user => ['david', 'aleksandr', 'maikenp', ],
+ asuser => 'ALL', commands => 'ALL';
+ }
+
+ iptables {
+ arcdevs-ssh:
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ saddr => [ '128.141.229.0/24', # david
+ '109.105.124.128/25', # NDGF HQ
+ 'purplerain.uio.no', # maikenp
+ '193.157.198.40', # maikenp
+ '82-135-155-59.static.zebra.lt', # aleksandr
+ ],
+ proto => 'tcp', dport => 'ssh',
+ target => 'ACCEPT',
+ comment => 'SSH for ARC developers and NDGF staff';
+ }
+}
+
+
+define arc::devkeys($key, $ensure='enabled', $homepath='/home')
+{
+ case $ensure {
+ 'enabled', 'disabled', 'absent': {
+ }
+ default: {
+ fail("arc::devkeys[${title}]: Bad parameter ensure: ${ensure}")
+ }
+ }
+
+ $sshdir = "$homepath/$title/.ssh"
+ $sshauthfile = "$sshdir/authorized_keys"
+
+ file {
+ $sshdir:
+ ensure => directory,
+ owner => $title, group => $title, mode => '0700';
+ $sshauthfile:
+ ensure => file,
+ owner => $title, group => $title, mode => '0600',
+ require => File[$sshdir];
+ }
+ ensure_line {
+ $title:
+ file => $sshauthfile,
+ line => "$key",
+ require => File[$sshauthfile];
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index dd76214def488c8ab23803a885b7003cd99e4ffb..218d8921e515dd953a198cde4ef124ea4554c65e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,391 +1 @@
-class arc::voms::repoinstall
-{
- package {
- 'voms':
- ensure => installed;
- # Install VO-packages for CERN VO:s
- 'wlcg-repo':
- ensure => installed,
- require => Package['voms'],
- tag => 'pkgrepo';
- }
-}
-
-
-class arc::voms
-{
- include stages
- class { 'arc::voms::repoinstall':
- stage => 'repoinstall',
- }
-
- package {
- [ 'wlcg-voms-ops', 'wlcg-voms-atlas', 'wlcg-voms-dteam', ]:
- ensure => installed,
- require => Package['wlcg-repo'];
- }
-}
-
-
-define arc::devkeys($key, $ensure='enabled', $homepath='/home')
-{
- case $ensure {
- 'enabled', 'disabled', 'absent': {
- }
- default: {
- fail("arc::devkeys[${title}]: Bad parameter ensure: ${ensure}")
- }
- }
-
- $sshdir = "$homepath/$title/.ssh"
- $sshauthfile = "$sshdir/authorized_keys"
-
- file {
- $sshdir:
- ensure => directory,
- owner => $title, group => $title, mode => '0700';
- $sshauthfile:
- ensure => file,
- owner => $title, group => $title, mode => '0600',
- require => File[$sshdir];
- }
- ensure_line {
- $title:
- file => $sshauthfile,
- line => "$key",
- require => File[$sshauthfile];
- }
-}
-
-
-class arc::devs
-{
- # Activate debugging accounts for ARC developers and
- # central NDGF staff. The actual users are added in
- # users.pp as usual.
-
- arc::devkeys {
- 'maikenp':
- key => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz6IKkS4HvNSPQgk0fGGPTHYT1lbKY2d9eAlfsOxOMydoyFWiRffgiJK+JSEB8w89/fWfNkscLj3sVbnA8kH/19EdrpWBs19R8m5SuK7CILoWz5gdc7EsZnF1qjJOYtqRs9+m2YnkfqKufwlnjdKUJBsPf73FHx4wYejdpKr24NO4H9X4Kbz1KtKwHeQmiFS+Yz1lfnXjXFuYb3VWvLO2Nb+pkC6yFFQU3pOTsgGuReCsTYOgCmuIIw97WoRLGH3CydjKbRaFhYs5Bvo1tDtEURLGPeMFL2cSt9cLIYrCT2PyyqNU4okkepOFrog7GedhQzBnF1E0WHN9e8pzFXWhr maikenp@purplerain.uio.no';
- 'aleksandr':
- key => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdSSGwij0EJsayOeuoSgC3sP47p/9o2yCIIS1SmIxDGJicyac9Vls7+9Ylnxju8bniT8hClV82EbmESFNRFfFqP8SGjQLXeFv/FpOprzx05OEkFhhv2vXW9njDwduyRQF4AdnAZRHS2/p6H2hS5UOEnXroUgWd9wrA0YLr9YUQNule4/6XqD0QKKBW/ai8HzBqZ0XDunYHk6PMny9atfaG6JJ3GxW06HMeMKJMT3M3/E3pOdD0Ye3NVqMIJTYhR0n2/qX5nxlQGwbh7Z4feZnzxX6LvQkNYDhlLfErQTQCC5BkyyTFve0vD6ZXC52tm1i+XLYw6vj4YDNPflnAKfBj akonstantinov@yahoo.com';
- 'david':
- key => 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp8ajIWbrLro2jztMP+ue0J/lW9OtEtBmWmSRGgfW4QQsJcBuYT+H1BDJh3cQLVXJ6vexThgTslu1ONIvwgxjGgARwu1BjT5K/e68d/Sd8JZirzpJLRRfU4ern6/UFt9uonaQtvAm/4Y2Ik1zGgClKARc8lAE/g544u7nFNuQpOHJVscrGwtj+vBR9A5klTLIAdlO2WHGjT9Zo+jKoxy1tDlJ0EOSFacgYqHRdEhVnAaIW1kEdDiEEVxwDqTNrDq+5QN0IlN7BpuvgsldByQ9EZJrUHCa+ApvP33QmRIQ728393BQsPtvsLZBn2zM+qppmIsSfGs3mVyUl0H31u6CLQ== dcameron@pcoslo4.cern.ch';
- 'dmytrok':
- key => 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqMmKGg99cRc1aZFBlXH2lbI5iGGPdpCXUQhlG7TS+i8aZRP8TiL+8QohTxHLTzsIfyzIF0rETUIYlaajeiusv5GEYd2AAsioNWaFPLrMA9COH+eTIO36lpuh8qrMe5IczAyEy9kh+WB9Pwh53Zj4oQOSfH/gi0OD/YjddjrWGZ5MOn/yev4Dj87Noe9a9WEnCF2tMzoR52IkJCKmbs3w0kolntumj8RgB79lZwe21nJs9mBPjtj66SMCmjCdAsSkDhOK9VKJsU7z4YLK+SJav4JzX3wFo1mSX5ytp0lCD/1rMXOEdUY3wqlfmyktlBea0AYfO83nieXyIhH/KMmVSQ== dmytrok@ladon.uio.no';
- }
-
- sudo::runas {
- 'arcdevs':
- user => ['david', 'dmytrok',
- 'aleksandr', 'maikenp', ],
- asuser => 'ALL', commands => 'ALL';
- }
-
- iptables {
- arcdevs-ssh:
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- saddr => [ 'ulam.uio.no', # jon
- '128.141.229.0/24', # david
- '109.105.124.128/25', # NDGF HQ
- 'purplerain.uio.no', # maikenp
- '193.157.198.40', # maikenp
- '82-135-155-59.static.zebra.lt', # aleksandr
- ],
- proto => 'tcp', dport => 'ssh',
- target => 'ACCEPT',
- comment => 'SSH for ARC developers and NDGF staff';
- }
-}
-
-
-class arc::logdir
-{
- $logdir = "/var/log/arc"
-
- file {
- $logdir:
- ensure => directory,
- require => Service['autofs'];
- }
-}
-
-
-class arc::squid
-{
- include nscnets
-
- iptables {
- 'squid':
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- saddr => $nscnets::bluegrass_int,
- proto => 'tcp', dport => '3128',
- target => 'ACCEPT',
- comment => 'Squid';
- }
- package {
- 'squid':
- ensure => installed;
- }
- fs::mount {
- '/var/spool/squid':
- device => '/dev/vgtank/squid', fstype => 'ext4',
- owner => 'root', group => 'root', mode => '0755',
- midreq => [ Package['squid'] ],
- before => Service['squid'];
- }
- file {
- '/var/spool/squid/cache':
- ensure => directory,
- owner => 'squid', group => 'squid', mode => '0750',
- require => Fs::Mount['/var/spool/squid'];
- }
- ensure_line {
- squid_cache_dir:
- file => '/etc/squid/squid.conf',
- line => 'cache_dir aufs /var/spool/squid/cache 18000 256 256',
- pattern => '^cache_dir .*',
- require => Package['squid'],
- before => Service['squid'];
- squid_max_filedesc:
- file => '/etc/squid/squid.conf',
- line => 'max_filedesc 8192',
- pattern => '^max_filedesc .*',
- require => Package['squid'],
- before => Service['squid'];
- squid_maximum_object_size:
- file => '/etc/squid/squid.conf',
- line => 'maximum_object_size 1024 MB',
- pattern => '^maximum_object_size .*',
- require => Package['squid'],
- before => Service['squid'];
- squid_maximum_object_size_in_memory:
- file => '/etc/squid/squid.conf',
- line => 'maximum_object_size_in_memory 10 MB',
- pattern => '^maximum_object_size_in_memory .*',
- require => Package['squid'],
- before => Service['squid'];
- squid_cache_mem:
- file => '/etc/squid/squid.conf',
- line => 'cache_mem 512 MB',
- pattern => '^cache_mem .*',
- require => Package['squid'],
- before => Service['squid'];
- }
- service {
- 'squid':
- enable => true, ensure => $running, hasstatus => true;
- }
-}
-
-
-class arc::server__
-{
- include arc::voms
- include x509certs::egi::trustanchors
- include x509certs::egi::lcg_cas
- include x509certs::hostcert::gridcert
- include arc::logdir
- include arc::devs
-
- # Install config file, poolmap binary and some log rotation
- file {
- [ '/arc/runtime', '/arc/controldir', '/arc/poolmaps' ]:
- ensure => directory,
- require => Fs::Mount['/arc'];
- '/arc/accounting':
- ensure => link,
- target => '/export/accounting',
- require => Fs::Mount['/arc'];
- '/etc/arc.conf':
- ensure => file,
- content => template('main/arc/arc.conf.erb'),
- owner => 'root', group => 'root', mode => '0444';
- '/arc/poolmaps/poolmap.pl':
- ensure => file,
- content => template('main/arc/poolmap.pl.erb'),
- owner => 'root', group => 'root', mode => '0744';
- '/etc/logrotate.d/nordugrid-arc-extras':
- ensure => file,
- owner => 'root', group => 'root', mode => '0444',
- content => template('main/arc/logrotate.conf.erb');
- }
-
- # Install required packages
- package {
- [ 'nordugrid-arc-arex',
- 'nordugrid-arc-gridftpd',
- 'nordugrid-arc-plugins-needed',
- 'nordugrid-arc-plugins-globus',
- 'nordugrid-arc-plugins-xrootd',
- 'nordugrid-arc-plugins-gfal',
- ]:
- ensure => installed;
- }
-
- package {
- # Package no longer needed
- 'nordugrid-arc-nordugridmap':
- ensure => absent;
- }
-
- # Open ports
- iptables {
- arc-gridftpd:
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- proto => 'tcp', dport => '2811',
- target => 'ACCEPT',
- comment => 'ARC gridftp service port';
- arc-ws:
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- proto => 'tcp', dport => '443',
- target => 'ACCEPT',
- comment => 'ARC web services interface';
- arc-globus-range:
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- proto => 'tcp', dport => '10001:15000',
- target => 'ACCEPT',
- comment => 'Gridftp data transfer ports';
- arc-infosys:
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- proto => [ 'udp', 'tcp' ], dport => '2135',
- target => 'ACCEPT',
- comment => 'ARC infosys port';
- }
-
- #ensure_line {
- # pbs_job_pvmem:
- # file => "/usr/share/arc/submit-pbs-job",
- # line => " echo \"#PBS -l pvmem=`expr \${joboption_memory} \\* 3 / 2`mb\" >> \$LRMS_JOB_SCRIPT",
- # pattern => ".*echo \"#PBS -l pvmem=.*",
- # require => Package["nordugrid-arc-arex"];
- #}
- #cfgfile::comment_lines {
- # pbs_cputime:
- # file => "/usr/share/arc/submit-pbs-job",
- # pattern => ".*echo \"#PBS -l cput=.*",
- # require => Package["nordugrid-arc-arex"];
- #}
-}
-
-
-class arc::server
-{
- include arc::server__
- Service {
- hasstatus => true, hasrestart => true,
- require => [ Class["arc::server__"], Class[arc::logdir] ],
- subscribe => File["/etc/arc.conf"],
- }
- service {
- 'arc-arex':
- enable => true, ensure => $running;
- 'arc-gridftpd':
- enable => true, ensure => $running;
- 'arc-infosys-ldap':
- enable => true, ensure => $running;
- # These should be stopped
- 'arched':
- enable => false, ensure => stopped;
- }
-}
-
-
-class arc::cache
-{
- include x509certs::hostcert::gridcert
- include x509certs::egi::trustanchors
- include x509certs::egi::lcg_cas
- include arc::logdir
- include arc::devs
-
- package {
- [ 'nordugrid-arc-datadelivery-service',
- 'nordugrid-arc-arex', # For cache-clean
- 'nordugrid-arc-plugins-globus',
- 'nordugrid-arc-plugins-xrootd',
- 'nordugrid-arc-plugins-gfal',
- ]:
- ensure => installed;
- }
-
- package {
- # Package no longer needed
- 'nordugrid-arc-nordugridmap':
- ensure => absent;
- }
-
- file {
- '/etc/arc.conf':
- ensure => file,
- content => template('main/arc/arc.conf-cache.erb'),
- owner => 'root', group => 'root', mode => '0444',
- require => Package['nordugrid-arc-datadelivery-service'];
- }
-
- iptables {
- arc-cache-server:
- ipfamily => ['ipv4','ipv6'],
- chain => 'INPUT',
- saddr => [
- 'atlas.bluegrass.nsc.liu.se',
- 'arctest.bluegrass.nsc.liu.se', ],
- proto => 'tcp', dport => '60002',
- target => 'ACCEPT',
- comment => 'ARC Data Delivery Service';
- }
-
- service {
- 'arc-datadelivery-service':
- enable => true, ensure => $running,
- hasstatus => true, hasrestart => true,
- require => Class[arc::logdir],
- subscribe => File['/etc/arc.conf'];
- 'arc-arex':
- enable => false, ensure => stopped;
- 'arched':
- enable => false, ensure => stopped;
- }
-
- cron {
- cache-clean:
- command => "/usr/libexec/arc/cache-clean -m90 -M95 -D INFO /export/cache >> $arc::logdir::logdir/cache-clean.log 2>&1",
- user => 'root',
- month => '*', monthday => '*', weekday => '*',
- hour => '*', minute => '*/5';
- }
-}
-
-
-class arc::client
-{
- include arc-repo
- include arc::voms
- include grid_certificates
-
- package {
- [ 'ca_NorduGrid-certrequest-config',
- 'nordugrid-arc-client',
- 'nordugrid-arc-doc',
- 'nordugrid-arc-compat',
- 'globus-common',
- 'globus-core',
- 'globus-gass-copy',
- 'globus-gsi-cert-utils',
- 'globus-gsi-cert-utils-progs',
- 'globus-proxy-utils',
- 'globus-rls-client',
- 'globus-rls-client-progs',
- 'grid-packaging-tools',
- 'gsoap',
- 'voms-clients',
- ]:
- ensure => installed;
- }
-}
+# This file intentionally left blank.
diff --git a/manifests/logdir.pp b/manifests/logdir.pp
new file mode 100644
index 0000000000000000000000000000000000000000..387c0fb6535a95758e0615a47631f4d47542d589
--- /dev/null
+++ b/manifests/logdir.pp
@@ -0,0 +1,9 @@
+class arc::logdir
+{
+ $logdir = "/var/log/arc"
+
+ file {
+ $logdir:
+ ensure => directory;
+ }
+}
diff --git a/manifests/server.pp b/manifests/server.pp
new file mode 100644
index 0000000000000000000000000000000000000000..e440ea8fd206a21a178b82fcbc4bb70fda2479e3
--- /dev/null
+++ b/manifests/server.pp
@@ -0,0 +1,116 @@
+#
+# Class server to configure the ARC frontend machine. The data
+# downloader machines are handled in a separate class.
+#
+
+class arc::server
+{
+ include x509certs::egi::lcg_cas
+ include x509certs::hostcert::gridcert
+
+ include arc::voms
+ include arc::logdir
+ include arc::devs
+
+ # Install required packages
+ package {
+ [ 'nordugrid-arc-arex',
+ 'nordugrid-arc-gridftpd',
+ 'nordugrid-arc-plugins-globus',
+ 'nordugrid-arc-plugins-xrootd',
+ 'nordugrid-arc-plugins-gfal',
+ ]:
+ ensure => installed;
+ }
+
+ # Install config file, poolmap binary and some log rotation.
+ # The /arc partition must be mounted.
+ file {
+ [ '/arc/runtime', '/arc/controldir', '/arc/poolmaps' ]:
+ ensure => directory,
+ require => Fs::Mount['/arc'];
+ '/arc/accounting':
+ ensure => link,
+ target => '/export/accounting',
+ require => Fs::Mount['/arc'];
+ '/etc/arc.conf':
+ ensure => file,
+ content => template('arc/arc.conf.erb'),
+ owner => 'root', group => 'root', mode => '0444';
+ '/arc/poolmaps/poolmap.pl':
+ ensure => file,
+ content => template('arc/poolmap.pl.erb'),
+ owner => 'root', group => 'root', mode => '0744';
+ '/etc/logrotate.d/nordugrid-arc-extras':
+ ensure => file,
+ owner => 'root', group => 'root', mode => '0444',
+ content => template('arc/logrotate.conf.erb');
+ }
+
+ # Open ports for gridftp, arex and globus data transfers.
+ iptables {
+ arc-gridftpd:
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ proto => 'tcp', dport => '2811',
+ target => 'ACCEPT',
+ comment => 'ARC gridftp service port';
+ arc-ws:
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ proto => 'tcp', dport => '443',
+ target => 'ACCEPT',
+ comment => 'ARC web services interface';
+ arc-globus-range:
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ proto => 'tcp', dport => '10001:15000',
+ target => 'ACCEPT',
+ comment => 'Gridftp data transfer ports';
+ arc-infosys:
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ proto => [ 'udp', 'tcp' ], dport => '2135',
+ target => 'ACCEPT',
+ comment => 'ARC infosys port';
+ }
+
+ # Reconfigure the job submission script to give jobs more memory
+ # than requested. The jobs assume that there is swap space
+ # available and that the multi core jobs can share memory.
+ # Unfortunately the cgroup oom killer looks at RSS instead of PSS
+ # and thus double counts shared memory and kills jobs when it's
+ # not needed.
+ replace_sections {
+ 'joboption_memory':
+ file => '/usr/share/arc/submit-SLURM-job',
+ start => '^if.*joboption_memory.*',
+ end => '^ echo.*--mem-per-cpu',
+ replacement => ' if [ "$joboption_count" = 1 ]; then
+ # One core + 10%
+ joboption_memory=`expr $joboption_memory \* 110 / 100`
+ fi
+ if [ "$joboption_count" = 8 ]; then
+ # Eight cores + 25%
+ joboption_memory=`expr $joboption_memory \* 125 / 100`
+ fi
+',
+ require => Package['nordugrid-arc-arex'];
+ }
+
+ Service {
+ hasstatus => true, hasrestart => true,
+ subscribe => File['/etc/arc.conf'],
+ }
+ service {
+ 'arc-arex':
+ enable => true, ensure => $running;
+ 'arc-gridftpd':
+ enable => true, ensure => $running;
+ 'arc-infosys-ldap':
+ enable => true, ensure => $running;
+ # These should be stopped
+ 'arched':
+ enable => false, ensure => stopped;
+ }
+}
diff --git a/manifests/squid.pp b/manifests/squid.pp
new file mode 100644
index 0000000000000000000000000000000000000000..ffd675c395771e9b553fc70763621a7c499da793
--- /dev/null
+++ b/manifests/squid.pp
@@ -0,0 +1,78 @@
+#
+# Class to set up the squid service on the WLCG cluster. This is
+# needed for the CVMFS setup. Could be a bit more generic and perhaps
+# move to a separate module.
+#
+
+class arc::squid (
+ $clients,
+ $partition = '/dev/vgtank/squid',
+ $fstype = 'ext4',
+)
+{
+ include nscnets
+
+ # Install squid package.
+ package {
+ 'squid':
+ ensure => installed;
+ }
+
+ # Mount the squid data partition.
+ fs::mount {
+ '/var/spool/squid':
+ device => $partition, fstype => $fstype,
+ owner => 'squid', group => 'squid', mode => '0750',
+ midreq => [ Package['squid'] ],
+ before => Service['squid'];
+ }
+
+ # Create the squid cache directory.
+ file {
+ '/var/spool/squid/cache':
+ ensure => directory,
+ owner => 'squid', group => 'squid', mode => '0750',
+ require => Fs::Mount['/var/spool/squid'];
+ }
+
+ # Configure squid.
+ Ensure_Line {
+ file => '/etc/squid/squid.conf',
+ require => Package['squid'],
+ before => Service['squid'],
+ }
+ ensure_line {
+ squid_cache_dir:
+ line => 'cache_dir aufs /var/spool/squid/cache 18000 256 256',
+ pattern => '^cache_dir .*';
+ squid_max_filedesc:
+ line => 'max_filedesc 8192',
+ pattern => '^max_filedesc .*';
+ squid_maximum_object_size:
+ line => 'maximum_object_size 1024 MB',
+ pattern => '^maximum_object_size .*';
+ squid_maximum_object_size_in_memory:
+ line => 'maximum_object_size_in_memory 10 MB',
+ pattern => '^maximum_object_size_in_memory .*';
+ squid_cache_mem:
+ line => 'cache_mem 512 MB',
+ pattern => '^cache_mem .*';
+ }
+
+ # Open firewall for certain networks.
+ iptables {
+ 'squid':
+ ipfamily => ['ipv4','ipv6'],
+ chain => 'INPUT',
+ saddr => $clients,
+ proto => 'tcp', dport => '3128',
+ target => 'ACCEPT',
+ comment => 'Squid';
+ }
+
+ # Start service!
+ service {
+ 'squid':
+ enable => true, ensure => $running, hasstatus => true;
+ }
+}
diff --git a/manifests/voms.pp b/manifests/voms.pp
new file mode 100644
index 0000000000000000000000000000000000000000..1203138d8fdf6d9581a71397dae6fec556b1a467
--- /dev/null
+++ b/manifests/voms.pp
@@ -0,0 +1,47 @@
+#
+# Class to set up the config files for voms.
+#
+# Atlas, dteam and ops are CERN specific and belongs to the WLCG
+# compute cluster and Swestore/dCache. Alice doesn't belive in VOMS.
+#
+# vo.hess-experiment.eu belongs to Swestore/dCache only, but we
+# install it everywhere. It doesn't hurt really, but there could be an
+# option to the class to enable it.
+#
+
+class arc::voms
+{
+ package {
+ # Install the basic voms package
+ 'voms':
+ ensure => installed;
+
+ # Set up the WLCG repo
+ 'wlcg-repo':
+ ensure => installed,
+ require => Package['voms'],
+ tag => 'pkgrepo';
+
+ # Install voms files
+ [ 'wlcg-voms-ops', 'wlcg-voms-atlas', 'wlcg-voms-dteam', ]:
+ ensure => installed,
+ require => Package['wlcg-repo'];
+ }
+
+ # Some VO:s doesn't have nice packages. Create those manually.
+ file {
+ # vo.hess-experiment.eu
+ '/etc/grid-security/vomsdir/vo.hess-experiment.eu':
+ ensure => directory,
+ owner => 'root', group => 'root', mode => '0555',
+ require => Package['voms'];
+ '/etc/grid-security/vomsdir/vo.hess-experiment.eu/grid12.lal.in2p3.fr.lsc':
+ source => 'puppet:///modules/arc/grid12.lal.in2p3.fr.lsc',
+ owner => 'root', group => 'root', mode => '0444',
+ require => File['/etc/grid-security/vomsdir/vo.hess-experiment.eu'];
+ '/etc/vomses/vo.hess-experiment.eu':
+ source => 'puppet:///modules/arc/vo.hess-experiment.eu',
+ owner => 'root', group => 'root', mode => '0444',
+ require => Package['voms'];
+ }
+}
diff --git a/files/arc.conf-cache.erb b/templates/arc.conf-cache.erb
similarity index 91%
rename from files/arc.conf-cache.erb
rename to templates/arc.conf-cache.erb
index 1110dbf6de811abf08be3c8801a486d65eb9202a..164c5c87b3f865fca3d53ccc491f19d03a649a99 100644
--- a/files/arc.conf-cache.erb
+++ b/templates/arc.conf-cache.erb
@@ -25,9 +25,9 @@
[common]
[datadelivery-service]
-hostname=<%= fqdn %>
-transfer_dir=/arc/cache/<%= hostname %>
-transfer_dir=/arc/session/<%= hostname %>
+hostname=<%= @fqdn %>
+transfer_dir=/arc/cache/<%= @hostname %>
+transfer_dir=/arc/session/<%= @hostname %>
port=60002
allowed_ip=<%= scope.function_resolve_ipnets(['atlas.bluegrass.nsc.liu.se', 'ipv4']) %>
allowed_ip=<%= scope.function_resolve_ipnets(['atlas.bluegrass.nsc.liu.se', 'ipv6']) %>
diff --git a/files/arc.conf.erb b/templates/arc.conf.erb
similarity index 97%
rename from files/arc.conf.erb
rename to templates/arc.conf.erb
index 3d4fbbe9e81011b8823eacfd9e35318679c292f3..35450dfb83c08aa14b3d76ecdea249a9aa66d6da 100644
--- a/files/arc.conf.erb
+++ b/templates/arc.conf.erb
@@ -25,7 +25,7 @@
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[common]
-hostname=<%= fqdn %>
+hostname=<%= @fqdn %>
[lrms]
lrms=slurm bluegrass
@@ -93,7 +93,7 @@ scratchdir=/scratch/local
[arex/ws]
# Enable the Web Services interface
-wsurl=https://<%= fqdn %>:443/arex
+wsurl=https://<%= @fqdn %>:443/arex
[arex/ws/jobs]
denyaccess=banned-users
@@ -200,8 +200,8 @@ cluster_owner=NSC
cluster_owner=University of Linkoping
clustersupport=grid-admin@nsc.liu.se
advertisedvo=atlas
-opsys=<%= operatingsystem %>
-opsys=<%= operatingsystemrelease %>
+opsys=<%= @operatingsystem %>
+opsys=<%= @operatingsystemrelease %>
opsys=Final
diff --git a/files/logrotate.conf.erb b/templates/logrotate.conf.erb
similarity index 100%
rename from files/logrotate.conf.erb
rename to templates/logrotate.conf.erb
diff --git a/files/poolmap.pl.erb b/templates/poolmap.pl.erb
similarity index 100%
rename from files/poolmap.pl.erb
rename to templates/poolmap.pl.erb