From 1a65315566d9a4eb9f34ee8e5a1fd583fb4cb2e8 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Wed, 15 Mar 2023 10:37:54 -0400
Subject: [PATCH] puppet: Switch teleport to running under systemd, not
 supervisord.

There is no reason that the base node access method should be run
under supervisor, which exists primarily to give access to the `zulip`
user to restart its managed services.  This access is unnecessary for
Teleport, and also causes unwanted restarts of Teleport services when
the `supervisor` base configuration changes.  Additionally,
supervisor does not support the in-place upgrade process that Teleport
uses, as it replaces its core process with a new one.

Switch to installing a systemd configuration file (as generated by
`teleport install systemd`) for each part of Teleport, customized to
pass a `--config` path.  As such, we explicitly disable the `teleport`
service provided by the package.

The supervisor process is shut down by dint of no longer installing
the file, which purges it from the managed directory, and reloads
Supervisor to pick up the removed service.
---
 .../files/supervisor/conf.d/teleport_db.conf  |  8 -------
 .../supervisor/conf.d/teleport_node.conf      |  8 -------
 .../supervisor/conf.d/teleport_server.conf    |  8 -------
 .../zulip_ops/manifests/profile/teleport.pp   | 11 ++--------
 puppet/zulip_ops/manifests/teleport/base.pp   |  8 ++++++-
 puppet/zulip_ops/manifests/teleport/db.pp     | 15 ++-----------
 puppet/zulip_ops/manifests/teleport/node.pp   | 15 ++-----------
 puppet/zulip_ops/manifests/teleport/part.pp   | 21 +++++++++++++++++++
 .../templates/teleport.service.template.erb   | 15 +++++++++++++
 9 files changed, 49 insertions(+), 60 deletions(-)
 delete mode 100644 puppet/zulip_ops/files/supervisor/conf.d/teleport_db.conf
 delete mode 100644 puppet/zulip_ops/files/supervisor/conf.d/teleport_node.conf
 delete mode 100644 puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
 create mode 100644 puppet/zulip_ops/manifests/teleport/part.pp
 create mode 100644 puppet/zulip_ops/templates/teleport.service.template.erb

diff --git a/puppet/zulip_ops/files/supervisor/conf.d/teleport_db.conf b/puppet/zulip_ops/files/supervisor/conf.d/teleport_db.conf
deleted file mode 100644
index 8a53d63278..0000000000
--- a/puppet/zulip_ops/files/supervisor/conf.d/teleport_db.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[program:teleport_db]
-command=/usr/local/bin/teleport start --config=/etc/teleport_db.yaml
-priority=10
-autostart=true
-autorestart=true
-user=root
-redirect_stderr=true
-stdout_logfile=/var/log/teleport_db.log
diff --git a/puppet/zulip_ops/files/supervisor/conf.d/teleport_node.conf b/puppet/zulip_ops/files/supervisor/conf.d/teleport_node.conf
deleted file mode 100644
index 50d650b982..0000000000
--- a/puppet/zulip_ops/files/supervisor/conf.d/teleport_node.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[program:teleport_node]
-command=/usr/local/bin/teleport start --config=/etc/teleport_node.yaml
-priority=10
-autostart=true
-autorestart=true
-user=root
-redirect_stderr=true
-stdout_logfile=/var/log/teleport_node.log
diff --git a/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf b/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
deleted file mode 100644
index 8a6c1f8ea6..0000000000
--- a/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[program:teleport_server]
-command=/usr/local/bin/teleport start --config=/etc/teleport_server.yaml
-priority=10
-autostart=true
-autorestart=true
-user=root
-redirect_stderr=true
-stdout_logfile=/var/log/teleport_server.log
diff --git a/puppet/zulip_ops/manifests/profile/teleport.pp b/puppet/zulip_ops/manifests/profile/teleport.pp
index fb5185bafd..1f6d8e454a 100644
--- a/puppet/zulip_ops/manifests/profile/teleport.pp
+++ b/puppet/zulip_ops/manifests/profile/teleport.pp
@@ -6,16 +6,9 @@ class zulip_ops::profile::teleport {
     group  => 'root',
     mode   => '0644',
     source => 'puppet:///modules/zulip_ops/teleport_server.yaml',
+    notify => Service['teleport_server'],
   }
-  file { "${zulip::common::supervisor_conf_dir}/teleport_server.conf":
-    ensure  => file,
-    require => [ Package[supervisor], Package[teleport], File['/etc/teleport_server.yaml'] ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_server.conf',
-    notify  => Service[$zulip::common::supervisor_service],
-  }
+  zulip_ops::teleport::part { 'server': }
 
   # https://goteleport.com/docs/admin-guide/#ports
   # Port 443 is outward-facing, for UI
diff --git a/puppet/zulip_ops/manifests/teleport/base.pp b/puppet/zulip_ops/manifests/teleport/base.pp
index db46ca6792..8c53db279f 100644
--- a/puppet/zulip_ops/manifests/teleport/base.pp
+++ b/puppet/zulip_ops/manifests/teleport/base.pp
@@ -6,7 +6,13 @@ class zulip_ops::teleport::base {
     command => "${setup_apt_repo_file} --list teleport",
     unless  => "${setup_apt_repo_file} --list teleport --verify",
   }
-  Package { 'teleport':
+  package { 'teleport':
+    ensure  => installed,
     require => Exec['setup-apt-repo-teleport'],
   }
+  service { 'teleport':
+    ensure  => stopped,
+    enable  => mask,
+    require => Package['teleport'],
+  }
 }
diff --git a/puppet/zulip_ops/manifests/teleport/db.pp b/puppet/zulip_ops/manifests/teleport/db.pp
index 265e3abd42..b78edf5766 100644
--- a/puppet/zulip_ops/manifests/teleport/db.pp
+++ b/puppet/zulip_ops/manifests/teleport/db.pp
@@ -11,19 +11,8 @@ class zulip_ops::teleport::db {
     group   => 'root',
     mode    => '0644',
     content => template('zulip_ops/teleport_db.yaml.template.erb'),
+    notify  => Service['teleport_db'],
   }
 
-  file { "${zulip::common::supervisor_conf_dir}/teleport_db.conf":
-    ensure  => file,
-    require => [
-      Package[supervisor],
-      Package[teleport],
-      File['/etc/teleport_db.yaml'],
-    ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_db.conf',
-    notify  => Service[$zulip::common::supervisor_service],
-  }
+  zulip_ops::teleport::part { 'db': }
 }
diff --git a/puppet/zulip_ops/manifests/teleport/node.pp b/puppet/zulip_ops/manifests/teleport/node.pp
index 1d5986e0b7..fdb3e27034 100644
--- a/puppet/zulip_ops/manifests/teleport/node.pp
+++ b/puppet/zulip_ops/manifests/teleport/node.pp
@@ -10,6 +10,7 @@ class zulip_ops::teleport::node {
     owner  => 'root',
     group  => 'root',
     mode   => '0644',
+    notify => Service['teleport_node'],
   }
   concat::fragment { 'teleport_node_base':
     target => '/etc/teleport_node.yaml',
@@ -17,17 +18,5 @@ class zulip_ops::teleport::node {
     order  => '01',
   }
 
-  file { "${zulip::common::supervisor_conf_dir}/teleport_node.conf":
-    ensure  => file,
-    require => [
-      Package[supervisor],
-      Package[teleport],
-      Concat['/etc/teleport_node.yaml'],
-    ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_node.conf',
-    notify  => Service[$zulip::common::supervisor_service],
-  }
+  zulip_ops::teleport::part { 'node': }
 }
diff --git a/puppet/zulip_ops/manifests/teleport/part.pp b/puppet/zulip_ops/manifests/teleport/part.pp
new file mode 100644
index 0000000000..2805f461ee
--- /dev/null
+++ b/puppet/zulip_ops/manifests/teleport/part.pp
@@ -0,0 +1,21 @@
+# @summary Adds a systemd service named teleport_$name
+#
+define zulip_ops::teleport::part() {
+  $part = $name
+  file { "/etc/systemd/system/teleport_${part}.service":
+    require => [
+      Package[teleport],
+    ],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('zulip_ops/teleport.service.template.erb'),
+    notify  => Service["teleport_${part}"],
+  }
+
+  service {"teleport_${part}":
+    ensure  => running,
+    enable  => true,
+    require => [Service['supervisor'], Service['teleport']],
+  }
+}
diff --git a/puppet/zulip_ops/templates/teleport.service.template.erb b/puppet/zulip_ops/templates/teleport.service.template.erb
new file mode 100644
index 0000000000..fc2cbf81a1
--- /dev/null
+++ b/puppet/zulip_ops/templates/teleport.service.template.erb
@@ -0,0 +1,15 @@
+[Unit]
+Description=Teleport <%= @part %> Service
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+EnvironmentFile=-/etc/default/teleport_<%= @part %>
+ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport_<%= @part %>.pid --config=/etc/teleport_<%= @part %>.yaml
+ExecReload=/bin/kill -HUP $MAINPID
+PIDFile=/run/teleport_<%= @part %>.pid
+LimitNOFILE=524288
+
+[Install]
+WantedBy=multi-user.target