opendev/system-config
Code Issues Proposed changes
8d968739e8
system-config/manifests/site.pp

1960 lines
80 KiB
ObjectPascal
Raw Normal View History

Move variables in manifests/site.pp to top of file Put the variables defined in manifests/site.pp at the top of the file so that they are in a known location after running csplit in test.sh and we can prepend them to the puppet-apply top files. A better solution would be to move this data into hiera, but this is not sensitive data, so a move to hiera should wait until we a have solution for a public hiera data repo separate from the private hiera data. Change-Id: I509a8266462dfdf53e1727938e4fb043241166b6
2014-06-03 17:28:27 -07:00
#
# Top-level variables
#
# There must not be any whitespace between this comment and the variables or
# in between any two variables in order for them to be correctly parsed and
# passed around in test.sh
#
Use In-Tree Public Hiera data Also make the apply-test public-hiera aware Change-Id: I761bf49ed6279a492cabeca878ec5e7c0fac3d0e
2015-07-28 18:05:08 -07:00
$elasticsearch_nodes = hiera_array('elasticsearch_nodes')
Move variables in manifests/site.pp to top of file Put the variables defined in manifests/site.pp at the top of the file so that they are in a known location after running csplit in test.sh and we can prepend them to the puppet-apply top files. A better solution would be to move this data into hiera, but this is not sensitive data, so a move to hiera should wait until we a have solution for a public hiera data repo separate from the private hiera data. Change-Id: I509a8266462dfdf53e1727938e4fb043241166b6
2014-06-03 17:28:27 -07:00
Add default puppet node. Change-Id: I1e1e723a9847b55dbb825a078a4dd5d9c08ce37b
2011-09-08 13:20:21 -07:00
#
# Default: should at least behave like an openstack server
#
node default {
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-06 10:32:48 -07:00
class { 'openstack_project::server':
Make the fallback sysadmins value the same The fallback value for sysadmins was was admins in some places and admin in others. However, re: jeblair: The fallback value for sysadmins should be "[]", which is actually the default value. Configuring the mail system to send root's mail to an account called 'admin' which may or may not exist and if it does exist may send mail to root is not a good idea. The default of [] will deliver root's mail normally. Change-Id: Iaeca86ef135b6a3210541618d48caf4058dc7966
2014-06-14 08:09:09 -07:00
sysadmins => hiera('sysadmins', []),
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-06 10:32:48 -07:00
}
Add default puppet node. Change-Id: I1e1e723a9847b55dbb825a078a4dd5d9c08ce37b
2011-09-08 13:20:21 -07:00
}
Move all node configuration into site.pp, with node identifiers based on hostnames so that puppet self-identifies which node config to use. Refactor class hierarchy for OpenStack slaves and servers. Add NTP to all systems. Change-Id: Ie7695768fcdebb744a86b3dc88bc0ea71297f978
2011-08-02 12:58:08 -07:00
#
# Long lived servers:
#
Start testing review.o.o on trusty Gerrit 2.9 has some newer dependencies we need from Ubuntu Trusty, so in preparation for the upgrade go ahead and begin testing our puppet manifest with that transition in mind. Change-Id: I1a31e2e5d432df4ca08673238f7b8fceefb19201
2015-02-04 22:04:31 +00:00
# Node-OS: trusty
Style guide updates for manifest directory Change-Id: I40d54189eb6d5cd4512080ec5010fe339bac96e0 Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com> Reviewed-on: https://review.openstack.org/13830 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-28 10:05:02 -04:00
node 'review.openstack.org' {
Pull o_p::server out of gerrit role Change-Id: Ia028637e1b9c91284d3f1476322ae486cd54d63f Signed-off-by: Philip Marc Schwartz <pschwar@linux.vnet.ibm.com>
2015-11-13 16:12:34 -05:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
sysadmins => hiera('sysadmins', []),
Set gerrit2 as an alias to root on Gerrit servers Now that the exim module supports custom arrays of aliases (but has ceased explicitly providing one for gerrit2), set the gerrit2 alias for root E-mail delivery on review.o.o and review-dev.o.o. Also plumb this through openstack_project::server so it can be used for similar purposes on other servers. Change-Id: I05df49af6abdf1494bdf0fee1be4cc79ec5b06d9 Depends-On: I2911f157812c127a514196ae58b7609378d7d4e4
2017-12-22 17:46:55 +00:00
extra_aliases => { 'gerrit2' => 'root' },
Pull o_p::server out of gerrit role Change-Id: Ia028637e1b9c91284d3f1476322ae486cd54d63f Signed-off-by: Philip Marc Schwartz <pschwar@linux.vnet.ibm.com>
2015-11-13 16:12:34 -05:00
}
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
class { 'openstack_project::review':
Switch gerrit to project-config Change-Id: I3e7358b4bc64e494a5990c79d16fafc21f5ed6af
2014-09-19 15:38:45 -07:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review.openstack.org. Change-Id: I0325fb5b4140c0d05de8aa4742cb4c8ffce42fdd
2015-10-16 14:02:32 -07:00
github_oauth_token => hiera('gerrit_github_token'),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
github_project_username => hiera('github_project_username', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review.openstack.org. Change-Id: I0325fb5b4140c0d05de8aa4742cb4c8ffce42fdd
2015-10-16 14:02:32 -07:00
github_project_password => hiera('github_project_password'),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
mysql_host => hiera('gerrit_mysql_host', 'localhost'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review.openstack.org. Change-Id: I0325fb5b4140c0d05de8aa4742cb4c8ffce42fdd
2015-10-16 14:02:32 -07:00
mysql_password => hiera('gerrit_mysql_password'),
email_private_key => hiera('gerrit_email_private_key'),
token_private_key => hiera('gerrit_rest_token_private_key'),
gerritbot_password => hiera('gerrit_gerritbot_password'),
gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
ssl_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
Make Launchpad credentials reusable Refactor and rename our Launchpad "sync" credentials (they haven't been used to synchronize group membership from LP to Gerrit for nearly 4 years now) which currently perform bug updates for new/merged changes, so that they can be reused in the future to update bugs as a part of release automation jobs. Change-Id: Icd08dffef88fc8e99683d991ac6ac88b93bcb3e6
2016-08-17 18:29:36 +00:00
lp_access_token => hiera('gerrit_lp_access_token'),
lp_access_secret => hiera('gerrit_lp_access_secret'),
lp_consumer_key => hiera('gerrit_lp_consumer_key'),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
swift_username => hiera('swift_store_user', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review.openstack.org. Change-Id: I0325fb5b4140c0d05de8aa4742cb4c8ffce42fdd
2015-10-16 14:02:32 -07:00
swift_password => hiera('swift_store_key'),
Configure its-storyboard plugin Add configurations for the its-storyboard plugin: 1. Move java_home variable to a higher level module so it can be used to install certificate on review-dev.o.o 2. Configure its-storyboard for review.o.o and review-dev.o.o 3. Associate review.o.o with storyboard.o.o and review-dev.o.o with storyboard-dev.o.o 4. Import ssl certificate to java on review-dev.o.o so that the plugin can POST updates to storyboard-dev.o.o using storyboard REST APIs. 5. Configure rules (or conditions) telling its-plugin to update storyboard tasks status on specific gerrit change updates. Gerrit change to storyboard task transition mapping: change abandoned -> SB task set to 'todo' change createed or change restored -> SB task set to 'review' change merged -> SB task set to 'merged' Change-Id: Id6ec16e267fca5fbbc42b1d3547fc5d2fa4c671b depends-on: I9f47a2ed88ffbe827e494a478c0dc89a08bbe370 depends-on: I5e817fab8a8973b688fd44dd819e3616df171321
2016-06-17 00:17:10 -07:00
storyboard_password => hiera('gerrit_storyboard_token'),
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
}
Add Gerrit configuration to puppet. Change-Id: I26ebd80adb00ac5bf676533d5dd9359cbbe08075
2011-08-05 23:00:46 +00:00
}
Run review-dev on Ubuntu Trusty The review-dev.openstack.org server is now running on Ubuntu Trusty, so test its manifest accordingly. Change-Id: I1267a99ca997fd393f5950709cce9c0207281516 Depends-On: Iac6ab2c731175d62c2bfc58a52adafc61e25963a
2015-01-15 20:36:59 +00:00
# Node-OS: trusty
Add review2 node. To bootstrap a new gerrit server. Also, make the consumer_key field in the lp creds file templated and use a value from hiera so that dev/prod can share the template. Change-Id: Ie14e560beae4f4c270e558c24a67096a1c4a7d32 Reviewed-on: https://review.openstack.org/14369 Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-10-11 16:55:07 -07:00
node 'review-dev.openstack.org' {
Pull o_p::server out of gerrit role Change-Id: Ia028637e1b9c91284d3f1476322ae486cd54d63f Signed-off-by: Philip Marc Schwartz <pschwar@linux.vnet.ibm.com>
2015-11-13 16:12:34 -05:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
sysadmins => hiera('sysadmins', []),
Set gerrit2 as an alias to root on Gerrit servers Now that the exim module supports custom arrays of aliases (but has ceased explicitly providing one for gerrit2), set the gerrit2 alias for root E-mail delivery on review.o.o and review-dev.o.o. Also plumb this through openstack_project::server so it can be used for similar purposes on other servers. Change-Id: I05df49af6abdf1494bdf0fee1be4cc79ec5b06d9 Depends-On: I2911f157812c127a514196ae58b7609378d7d4e4
2017-12-22 17:46:55 +00:00
extra_aliases => { 'gerrit2' => 'root' },
Pull o_p::server out of gerrit role Change-Id: Ia028637e1b9c91284d3f1476322ae486cd54d63f Signed-off-by: Philip Marc Schwartz <pschwar@linux.vnet.ibm.com>
2015-11-13 16:12:34 -05:00
afs => true,
}
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
class { 'openstack_project::review_dev':
Allow puppet to manage replication keys on review-dev.o.o Change-Id: I284379cc69349037db4bf7dfd52e22d22b34d465
2015-04-15 15:38:05 -07:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review-dev. Change-Id: Idbe948fe02bc3b0d794de1f31a3a7ca722da6ddc
2015-10-16 14:05:35 -07:00
github_oauth_token => hiera('gerrit_dev_github_token'),
Allow puppet to manage replication keys on review-dev.o.o Change-Id: I284379cc69349037db4bf7dfd52e22d22b34d465
2015-04-15 15:38:05 -07:00
github_project_username => hiera('github_dev_project_username', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review-dev. Change-Id: Idbe948fe02bc3b0d794de1f31a3a7ca722da6ddc
2015-10-16 14:05:35 -07:00
github_project_password => hiera('github_dev_project_password'),
Allow puppet to manage replication keys on review-dev.o.o Change-Id: I284379cc69349037db4bf7dfd52e22d22b34d465
2015-04-15 15:38:05 -07:00
mysql_host => hiera('gerrit_dev_mysql_host', 'localhost'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from review-dev. Change-Id: Idbe948fe02bc3b0d794de1f31a3a7ca722da6ddc
2015-10-16 14:05:35 -07:00
mysql_password => hiera('gerrit_dev_mysql_password'),
email_private_key => hiera('gerrit_dev_email_private_key'),
ssh_dsa_key_contents => hiera('gerrit_dev_ssh_dsa_key_contents'),
ssh_dsa_pubkey_contents => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),
ssh_rsa_key_contents => hiera('gerrit_dev_ssh_rsa_key_contents'),
ssh_rsa_pubkey_contents => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),
ssh_project_rsa_key_contents => hiera('gerrit_dev_project_ssh_rsa_key_contents'),
ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),
ssh_replication_rsa_key_contents => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),
ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),
Make Launchpad credentials reusable Refactor and rename our Launchpad "sync" credentials (they haven't been used to synchronize group membership from LP to Gerrit for nearly 4 years now) which currently perform bug updates for new/merged changes, so that they can be reused in the future to update bugs as a part of release automation jobs. Change-Id: Icd08dffef88fc8e99683d991ac6ac88b93bcb3e6
2016-08-17 18:29:36 +00:00
lp_access_token => hiera('gerrit_dev_lp_access_token'),
lp_access_secret => hiera('gerrit_dev_lp_access_secret'),
lp_consumer_key => hiera('gerrit_dev_lp_consumer_key'),
Configure its-storyboard plugin Add configurations for the its-storyboard plugin: 1. Move java_home variable to a higher level module so it can be used to install certificate on review-dev.o.o 2. Configure its-storyboard for review.o.o and review-dev.o.o 3. Associate review.o.o with storyboard.o.o and review-dev.o.o with storyboard-dev.o.o 4. Import ssl certificate to java on review-dev.o.o so that the plugin can POST updates to storyboard-dev.o.o using storyboard REST APIs. 5. Configure rules (or conditions) telling its-plugin to update storyboard tasks status on specific gerrit change updates. Gerrit change to storyboard task transition mapping: change abandoned -> SB task set to 'todo' change createed or change restored -> SB task set to 'review' change merged -> SB task set to 'merged' Change-Id: Id6ec16e267fca5fbbc42b1d3547fc5d2fa4c671b depends-on: I9f47a2ed88ffbe827e494a478c0dc89a08bbe370 depends-on: I5e817fab8a8973b688fd44dd819e3616df171321
2016-06-17 00:17:10 -07:00
storyboard_password => hiera('gerrit_dev_storyboard_token'),
storyboard_ssl_cert => hiera('gerrit_dev_storyboard_ssl_crt'),
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
}
Move all node configuration into site.pp, with node identifiers based on hostnames so that puppet self-identifies which node config to use. Refactor class hierarchy for OpenStack slaves and servers. Add NTP to all systems. Change-Id: Ie7695768fcdebb744a86b3dc88bc0ea71297f978
2011-08-02 12:58:08 -07:00
}
Create grafana.o.o under -infra Change-Id: Ib83a4d95df155f21c9affd25924261dc4b414133 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-04-30 19:09:38 +00:00
# Node-OS: trusty
Move grafana to xenial Change-Id: Ie0ec79ee6fa340b97a8fd0463cb0cdab39556a52
2017-12-11 09:05:04 -08:00
# Node-OS: xenial
node /^grafana\d*\.openstack\.org$/ {
Create a grafana group Numeric hostnames don't match FQDN hiera groups, so we need to create an explicit group. Change-Id: Ie1e55b934b7d36cc1cb3434381660d7d27bbe979
2017-12-11 13:17:24 -08:00
$group = "grafana"
Create grafana.o.o under -infra Change-Id: Ib83a4d95df155f21c9affd25924261dc4b414133 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-04-30 19:09:38 +00:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::grafana':
Remove the final XXX's We want to split the hiera data. Change-Id: Ie8adf4e58fe3871d201ef8984833b206c2d768f4
2015-10-28 11:31:50 +09:00
admin_password => hiera('grafana_admin_password'),
Add grafyaml support This works almost the same way as JJB. Dashboards are stored in yaml, puppet detects a file change, and grafana-dashboard publishes the changes into grafana. Change-Id: I91d539bdf7273a26dbd6ac46268bf5f98b1ea44f Depends-On: I2755fe4fee720c7805eed2cb5bdf11de667bbd4f Depends-On: I07577d72b2d5d6a552a9f50f551263fe3ac47dfb Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-10-09 11:20:50 -04:00
admin_user => hiera('grafana_admin_user', 'username'),
mysql_host => hiera('grafana_mysql_host', 'localhost'),
Remove the final XXX's We want to split the hiera data. Change-Id: Ie8adf4e58fe3871d201ef8984833b206c2d768f4
2015-10-28 11:31:50 +09:00
mysql_name => hiera('grafana_mysql_name'),
mysql_password => hiera('grafana_mysql_password'),
Add grafyaml support This works almost the same way as JJB. Dashboards are stored in yaml, puppet detects a file change, and grafana-dashboard publishes the changes into grafana. Change-Id: I91d539bdf7273a26dbd6ac46268bf5f98b1ea44f Depends-On: I2755fe4fee720c7805eed2cb5bdf11de667bbd4f Depends-On: I07577d72b2d5d6a552a9f50f551263fe3ac47dfb Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-10-09 11:20:50 -04:00
mysql_user => hiera('grafana_mysql_user', 'username'),
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
Remove the final XXX's We want to split the hiera data. Change-Id: Ie8adf4e58fe3871d201ef8984833b206c2d768f4
2015-10-28 11:31:50 +09:00
secret_key => hiera('grafana_secret_key'),
Create grafana.o.o under -infra Change-Id: Ib83a4d95df155f21c9affd25924261dc4b414133 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-04-30 19:09:38 +00:00
}
}
Add openstack-health api server This commit adds the puppet config for running an openstack-health api instance. It'll use the subunit2sql trove db node as a data source. The puppet-openstack-health module is incorrectly named which is causing issues, a workaround to rename the repo is added to install_modules.sh. This is a temporary measure until the gerrit rename is completed. There is also a workaround in the apply test. Change-Id: I7e6d9664d087e7bdc21d92624991d0d5f86c0c99
2015-10-14 15:33:20 -04:00
# Node-OS: trusty
Support xenial on health Change-Id: I1eb33de599c49273567de4b193a8b95a1fdb8048
2017-12-11 09:12:02 -08:00
# Node-OS: xenial
node /^health\d*\.openstack\.org$/ {
Add openstack-health api server This commit adds the puppet config for running an openstack-health api instance. It'll use the subunit2sql trove db node as a data source. The puppet-openstack-health module is incorrectly named which is causing issues, a workaround to rename the repo is added to install_modules.sh. This is a temporary measure until the gerrit rename is completed. There is also a workaround in the apply test. Change-Id: I7e6d9664d087e7bdc21d92624991d0d5f86c0c99
2015-10-14 15:33:20 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::openstack_health_api':
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
}
}
Create stackalytics.o.o under -infra Change-Id: I9afa912abee38fb2732e97df06d72788b57d53df Depends-On: If62b3f633000cc6380d892cad0a2160136ce8ca4 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-06-12 17:09:21 +00:00
# Node-OS: trusty
Support xenial on stackalytics Change-Id: Ieb6b4776f3eb229ecc1bee0bdc0d4033308799ef
2017-12-11 09:13:38 -08:00
# Node-OS: xenial
node /^stackalytics\d*\.openstack\.org$/ {
Create stackalytics.o.o under -infra Change-Id: I9afa912abee38fb2732e97df06d72788b57d53df Depends-On: If62b3f633000cc6380d892cad0a2160136ce8ca4 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-06-12 17:09:21 +00:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::stackalytics':
gerrit_ssh_user => hiera('stackalytics_gerrit_ssh_user'),
stackalytics_ssh_private_key => hiera('stackalytics_ssh_private_key_contents'),
}
}
Add openstack-health api server This commit adds the puppet config for running an openstack-health api instance. It'll use the subunit2sql trove db node as a data source. The puppet-openstack-health module is incorrectly named which is causing issues, a workaround to rename the repo is added to install_modules.sh. This is a temporary measure until the gerrit rename is completed. There is also a workaround in the apply test. Change-Id: I7e6d9664d087e7bdc21d92624991d0d5f86c0c99
2015-10-14 15:33:20 -04:00
Update cacti.o.o testing to xenial Change-Id: Idaba4705ffdaea1cb2d7da07db6752a9a1162907 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-13 17:05:26 -05:00
# Node-OS: xenial
Add cacti01 replacement node to Puppet We need to replace cacti as it is struggling with memory issues. Created cacti01 machine with 4GB, now adding the node declaration to Puppet so it gets configured as a Cacti server. Change-Id: I47a286079e44cd22686e99b8e4c229c693d509d1
2016-09-28 22:50:54 +02:00
node /^cacti\d+\.openstack\.org$/ {
$group = "cacti"
include openstack_project::ssl_cert_check
class { 'openstack_project::cacti':
sysadmins => hiera('sysadmins', []),
cacti_hosts => hiera_array('cacti_hosts'),
vhost_name => 'cacti.openstack.org',
}
}
Correctly list the OS for puppetmaster in the manifest puppetmaster now runs on trusty, not precise. Let's have the manifest reflect reality. Change-Id: I1c4d18cb3ca25560e8a75f1c8e50a51a86ad11e6
2015-11-28 21:37:14 -05:00
# Node-OS: trusty
Add node def for puppet3 master This change modifies install_puppet.sh to accept a --three option setting it to install the latest puppet available. It also creates a node definition for the puppetmaster.o.o node, the new 3 master, and the master of the future. Changes were made to various classes to allow the pinning to version 2.x to be turned off. Change-Id: I805d6dc50b9de0d8a99cf818d22d06c2dea6090a
2014-03-28 00:11:10 -07:00
node 'puppetmaster.openstack.org' {
Move server outside of puppetmaster class Change-Id: I9795cbf5554047b7b2fb5e13283884af9760a60d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-04-10 17:36:44 +02:00
class { 'openstack_project::server':
Turn off salt port access We haven't used salt in quite a while. Maybe let's stop having the ports be open. Change-Id: Ibdb3c36e6af6edcdeb9cd5675342c1707c4a4cbe
2015-11-28 21:36:38 -05:00
iptables_public_tcp_ports => [8140],
Move server outside of puppetmaster class Change-Id: I9795cbf5554047b7b2fb5e13283884af9760a60d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-04-10 17:36:44 +02:00
sysadmins => hiera('sysadmins', []),
pin_puppet => '3.6.',
}
Add node def for puppet3 master This change modifies install_puppet.sh to accept a --three option setting it to install the latest puppet available. It also creates a node definition for the puppetmaster.o.o node, the new 3 master, and the master of the future. Changes were made to various classes to allow the pinning to version 2.x to be turned off. Change-Id: I805d6dc50b9de0d8a99cf818d22d06c2dea6090a
2014-03-28 00:11:10 -07:00
class { 'openstack_project::puppetmaster':
Add OmfraCloud to puppetmaster_clouds I have verified the hiera settings. Omfracloud uses a self-signed cert, so vendor in the CA file. Change-Id: I8b5b2d1c2bb8a9f808a6ea8e5134cb17da8ee133
2016-02-02 18:22:41 -08:00
root_rsa_key => hiera('puppetmaster_root_rsa_key'),
puppetmaster_clouds => hiera('puppetmaster_clouds'),
Enable ansible callback events on firehose This commit adds the mqtt ansible callback plugin to the puppetmaster config so that whenever we run ansible we'll emit events to the firehose for that. Change-Id: Id5f10705687c5bb9854d386efd7fed486172f745
2017-04-19 17:33:25 -04:00
enable_mqtt => true,
mqtt_password => hiera('mqtt_service_user_password'),
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
Add node def for puppet3 master This change modifies install_puppet.sh to accept a --three option setting it to install the latest puppet available. It also creates a node definition for the puppetmaster.o.o node, the new 3 master, and the master of the future. Changes were made to various classes to allow the pinning to version 2.x to be turned off. Change-Id: I805d6dc50b9de0d8a99cf818d22d06c2dea6090a
2014-03-28 00:11:10 -07:00
}
Trust infracloud directly using public cert Rather than needing to manage /usr/local/share/ca-certificates and keep the global cert list up to date with update-ca-certificates just directly trust the appropriate cert when talking to infracloud. This is how we have done it on nodepool and it is a very simple method for managing this setup. Change-Id: I702e30de81f1ef3211caa113616fef0be51f4821
2017-08-25 13:26:12 -07:00
file { '/etc/openstack/infracloud_vanilla_cacert.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
require => Class['::openstack_project::puppetmaster'],
}
file { '/etc/openstack/infracloud_chocolate_cacert.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
require => Class['::openstack_project::puppetmaster'],
}
Add node def for puppet3 master This change modifies install_puppet.sh to accept a --three option setting it to install the latest puppet available. It also creates a node definition for the puppetmaster.o.o node, the new 3 master, and the master of the future. Changes were made to various classes to allow the pinning to version 2.x to be turned off. Change-Id: I805d6dc50b9de0d8a99cf818d22d06c2dea6090a
2014-03-28 00:11:10 -07:00
}
Upgrade graphite.o.o to Trusty We are upgrading infra servers from Precise to Trusty. This patch aims to upgrade graphite.o.o to Trusty. To that end this patch adds a comment in site.pp # Node-OS: trusty Change-Id: If44125b1f6ce7bfa4e1232f8704d03d0a34720a3
2016-05-23 13:15:37 -04:00
# Node-OS: trusty
Support xenial on graphite Change-Id: I35922e35f48500481a7fb2a6aca8adeab721da21
2017-12-11 09:18:12 -08:00
# Node-OS: xenial
node /^graphite\d*\.openstack\.org$/ {
Decouple server from graphite manifest It involves a removal of openstack_project::graphite class because it's not adding any extra functionality than calling directly to graphite puppet module. Change-Id: Ibb15ac85f428f43521c22bba6083889f27305b19
2015-08-25 14:30:09 +02:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
Use iptables allowed_hosts This allows us to more safely specify hosts by name in iptable rules, as they will be resolved by puppet before being written to disk. Change-Id: Ie133ad8246d5907723a6d7cbf14644e0a10cc4e7 Depends-On: I7a0dfbab67bdba72c0a56acc611503795d2bc350
2017-12-14 11:14:14 -08:00
iptables_allowed_hosts => [
{protocol => 'udp', port => '8125', hostname => 'git.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'},
Update firewalls, zookeeper and cacti for zuul01 Now that the zuul01.openstack.org instance exists in DNS, update firewall rules, zookeeper and cacti configuration to include it (replacing the old zuul.openstack.org entries where relevant). Change-Id: I6bf605cd5120e342d597d9f862902bdc04abc7e7
2018-01-15 20:33:14 +00:00
{protocol => 'udp', port => '8125', hostname => 'zuul01.openstack.org'},
Use iptables allowed_hosts This allows us to more safely specify hosts by name in iptable rules, as they will be resolved by puppet before being written to disk. Change-Id: Ie133ad8246d5907723a6d7cbf14644e0a10cc4e7 Depends-On: I7a0dfbab67bdba72c0a56acc611503795d2bc350
2017-12-14 11:14:14 -08:00
{protocol => 'udp', port => '8125', hostname => 'zuulv3.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
],
Decouple server from graphite manifest It involves a removal of openstack_project::graphite class because it's not adding any extra functionality than calling directly to graphite puppet module. Change-Id: Ibb15ac85f428f43521c22bba6083889f27305b19
2015-08-25 14:30:09 +02:00
sysadmins => hiera('sysadmins', [])
}
class { '::graphite':
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
graphite_admin_user => hiera('graphite_admin_user', 'username'),
graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from graphite. Change-Id: I1573f7a9edf3f0e99780e06cf5ed0fba672e3714
2015-10-16 14:14:46 -07:00
graphite_admin_password => hiera('graphite_admin_password'),
Add graphite. Change-Id: I276641d55e966cd76013cae847061c3ac7996864 Reviewed-on: https://review.openstack.org/17094 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-11-28 23:12:07 +00:00
}
}
Upgrade groups.o.o to trusty Update the Ubuntu OS version of groups.o.o instance from precise to trusty. Change-Id: I1e6d4de64b207af0cbd757ce5e43ed66a472bfc6
2016-04-04 12:15:56 +02:00
# Node-OS: trusty
Support xenial on groups and groups-dev Change-Id: I108b655023f5cd6c098f4cc66832ddfeccbe9748
2017-12-11 09:19:38 -08:00
# Node-OS: xenial
node /^groups\d*\.openstack\.org$/ {
Move server class call outside of groups*.pp class site.pp handles the call to the server class for groups* nodes. Change-Id: I061a0f3107347ace5e44d3c908b4f5a2515223eb
2015-06-26 12:26:58 +02:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Add groups.openstack.org. Change-Id: Ie143fe2477372c0c1a7fe6675b538b2b40146626 Reviewed-on: https://review.openstack.org/15624 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-11-08 10:52:37 +01:00
class { 'openstack_project::groups':
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from groups and groups-dev Change-Id: Idcf727bd33f06a2294879496f946d66831670c89
2015-10-16 14:16:15 -07:00
site_admin_password => hiera('groups_site_admin_password'),
Enable SSL for groups.openstack.org Enable the SSL connection for groups.openstack.org, required by oauth2 authentication of openstackid.org. New hiera variables: - groups_site_ssl_cert_file_contents: x509 certificate of the vhost in pem format. - groups_site_ssl_key_file_contents: key of x509 cert in pem format. - groups_site_ssl_chain_file_contents: parent certs of site certificate Change-Id: Ia266e1ee057467e5149b84f8b5f8be98bf63180f Implements: blueprint groups-oauth2-authentication
2014-12-01 08:46:10 +01:00
site_mysql_host => hiera('groups_site_mysql_host', 'localhost'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from groups and groups-dev Change-Id: Idcf727bd33f06a2294879496f946d66831670c89
2015-10-16 14:16:15 -07:00
site_mysql_password => hiera('groups_site_mysql_password'),
conf_cron_key => hiera('groups_conf_cron_key'),
Enable SSL for groups.openstack.org Enable the SSL connection for groups.openstack.org, required by oauth2 authentication of openstackid.org. New hiera variables: - groups_site_ssl_cert_file_contents: x509 certificate of the vhost in pem format. - groups_site_ssl_key_file_contents: key of x509 cert in pem format. - groups_site_ssl_chain_file_contents: parent certs of site certificate Change-Id: Ia266e1ee057467e5149b84f8b5f8be98bf63180f Implements: blueprint groups-oauth2-authentication
2014-12-01 08:46:10 +01:00
site_ssl_cert_file_contents => hiera('groups_site_ssl_cert_file_contents', undef),
site_ssl_key_file_contents => hiera('groups_site_ssl_key_file_contents', undef),
site_ssl_chain_file_contents => hiera('groups_site_ssl_chain_file_contents', undef),
Add groups.openstack.org. Change-Id: Ie143fe2477372c0c1a7fe6675b538b2b40146626 Reviewed-on: https://review.openstack.org/15624 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-11-08 10:52:37 +01:00
}
}
Upgrade groups-dev.o.o to trusty Update the Ubuntu OS version of groups-dev.o.o instance from precise to trusty. Change-Id: I389821a17ceaf46c7fa6bfafe520afdd2ab157e2 Depends-On: https://review.openstack.org/295231 Depends-On: https://review.openstack.org/298742
2016-03-30 11:22:27 +02:00
# Node-OS: trusty
Support xenial on groups and groups-dev Change-Id: I108b655023f5cd6c098f4cc66832ddfeccbe9748
2017-12-11 09:19:38 -08:00
# Node-OS: xenial
node /^groups-dev\d*\.openstack\.org$/ {
Move server class call outside of groups*.pp class site.pp handles the call to the server class for groups* nodes. Change-Id: I061a0f3107347ace5e44d3c908b4f5a2515223eb
2015-06-26 12:26:58 +02:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Add groups-dev.openstack.org node Add a groups-dev node to openstack infra, based on drupal environment. This node checks out the repository: https://git.openstack.org/openstack-infra/groups Build a new deployment from scratch, including drush make distbuild and drush si auto-installation features. Change-Id: I71eef1c14724ceb13a896ff768923148dedcc2ef
2013-09-17 11:43:00 +02:00
class { 'openstack_project::groups_dev':
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from groups and groups-dev Change-Id: Idcf727bd33f06a2294879496f946d66831670c89
2015-10-16 14:16:15 -07:00
site_admin_password => hiera('groups_dev_site_admin_password'),
Enable SSL in groups-dev.openstack.org Extend the Drupal vhost template with ssl capability, and groups-dev.openstack.org now accepts the following hiera variables for ssl setup: - groups_dev_site_ssl_cert_file_contents: x509 certificate of vhost in pem format - groups_dev_site_ssl_key_file_contents: rsa key of x509 certificate in pem format - groups_dev_site_ssl_chain_file_contents: trusted chain of parent certificates (optional) This patch is required for proper openstackid/oauth2 backref communication. Change-Id: Ia148d1db743fc80bcb675c9ca2906333ef62eff8 Implements: blueprint groups-oauth2-authentication
2014-11-19 21:07:37 +01:00
site_mysql_host => hiera('groups_dev_site_mysql_host', 'localhost'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from groups and groups-dev Change-Id: Idcf727bd33f06a2294879496f946d66831670c89
2015-10-16 14:16:15 -07:00
site_mysql_password => hiera('groups_dev_site_mysql_password'),
conf_cron_key => hiera('groups_dev_conf_cron_key'),
Enable SSL in groups-dev.openstack.org Extend the Drupal vhost template with ssl capability, and groups-dev.openstack.org now accepts the following hiera variables for ssl setup: - groups_dev_site_ssl_cert_file_contents: x509 certificate of vhost in pem format - groups_dev_site_ssl_key_file_contents: rsa key of x509 certificate in pem format - groups_dev_site_ssl_chain_file_contents: trusted chain of parent certificates (optional) This patch is required for proper openstackid/oauth2 backref communication. Change-Id: Ia148d1db743fc80bcb675c9ca2906333ef62eff8 Implements: blueprint groups-oauth2-authentication
2014-11-19 21:07:37 +01:00
site_ssl_cert_file_contents => hiera('groups_dev_site_ssl_cert_file_contents', undef),
site_ssl_key_file_contents => hiera('groups_dev_site_ssl_key_file_contents', undef),
site_ssl_cert_file => '/etc/ssl/certs/groups-dev.openstack.org.pem',
site_ssl_key_file => '/etc/ssl/private/groups-dev.openstack.org.key',
Add groups-dev.openstack.org node Add a groups-dev node to openstack infra, based on drupal environment. This node checks out the repository: https://git.openstack.org/openstack-infra/groups Build a new deployment from scratch, including drush make distbuild and drush si auto-installation features. Change-Id: I71eef1c14724ceb13a896ff768923148dedcc2ef
2013-09-17 11:43:00 +02:00
}
}
Migrate lists.o.o to ubuntu trusty Most of the changes are in puppet-mailman. Change-Id: Ia675fa4b79392aba6834c3fe478df4a614183526 Depends-On: Ic0cc4de17f0490c54293bbe37190654976ff7b57 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-02-25 15:39:08 -05:00
# Node-OS: trusty
Support xenial on lists Change-Id: Ia1eafdf3df22deb83ca8f3fa7fd5a6329e0a0a95
2017-12-11 09:22:05 -08:00
# Node-OS: xenial
node /^lists\d*\.openstack\.org$/ {
Use openstack_project::server class where possible As we move configuration for zuul worker nodes out of puppet and into DIB elements, we should keep track of what is being managed by puppet for long-lived servers and what no longer needs to be managed for single use workers. The openstack_project::server class wraps the openstack_server::template class which stores configuration that is common to both types of machines. This patch updates the backup_server and lists class to use the openstack_project::server class, updating class parameters where they differ between o_p:server and o_p::template. This way we can chop down the template class and move bits into the server class until eventually we can entirely remove the openstack_project::single_use_slave and openstack_project::template classes. Change-Id: Ief997d608a3a1632ec34da34ec46a237ead761f5
2017-03-25 14:55:29 +01:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
manage_exim => false,
purge_apt_sources => false,
}
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
class { 'openstack_project::lists':
Make the fallback sysadmins value the same The fallback value for sysadmins was was admins in some places and admin in others. However, re: jeblair: The fallback value for sysadmins should be "[]", which is actually the default value. Configuring the mail system to send root's mail to an account called 'admin' which may or may not exist and if it does exist may send mail to root is not a good idea. The default of [] will deliver root's mail normally. Change-Id: Iaeca86ef135b6a3210541618d48caf4058dc7966
2014-06-14 08:09:09 -07:00
listadmins => hiera('listadmins', []),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from lists. Change-Id: I870d95cec36279e1de3dbf39b305a1a8a2072426
2015-10-16 14:17:05 -07:00
listpassword => hiera('listpassword'),
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
}
Move all node configuration into site.pp, with node identifiers based on hostnames so that puppet self-identifies which node config to use. Refactor class hierarchy for OpenStack slaves and servers. Add NTP to all systems. Change-Id: Ie7695768fcdebb744a86b3dc88bc0ea71297f978
2011-08-02 12:58:08 -07:00
}
Create mailman server for Kata Containers Until we have a way to manage multiple domains on a single mailman instance, we need to have separate instances. This creates lists.katacontainers.io to run mailman for this new project that needs a separate domain from lists.openstack.org. Change-Id: Iafcf10c2c905439bf174e886a8886e090a256711
2017-11-30 14:14:59 -06:00
# Node-OS: trusty
Support xenial on lists Change-Id: Ia1eafdf3df22deb83ca8f3fa7fd5a6329e0a0a95
2017-12-11 09:22:05 -08:00
# Node-OS: xenial
node /^lists\d*\.katacontainers\.io$/ {
Create mailman server for Kata Containers Until we have a way to manage multiple domains on a single mailman instance, we need to have separate instances. This creates lists.katacontainers.io to run mailman for this new project that needs a separate domain from lists.openstack.org. Change-Id: Iafcf10c2c905439bf174e886a8886e090a256711
2017-11-30 14:14:59 -06:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
manage_exim => false,
purge_apt_sources => false,
}
class { 'openstack_project::kata_lists':
listadmins => hiera('listadmins', []),
listpassword => hiera('listpassword'),
}
}
Clean up puppet-apply testing on precise We've upgraded from precise to trusty on series of hosts, but forgot to update site.pp. This patch moves zuul, static, paste and proposal.slave to run tests on ubuntu-trusty. Change-Id: Iba041533ea86c3b01f981069b53fc7a1781521b1 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-07-28 11:27:18 -04:00
# Node-OS: trusty
Support xenial on paste Change-Id: Ief215e1c5ca168bfafb117dfc0652103b41aa17f
2017-12-11 09:23:14 -08:00
# Node-OS: xenial
node /^paste\d*\.openstack\.org$/ {
Create paste hiera group Change-Id: I0a9fd98c7a95bdf7046c5a56bbbd0fab3f27412e
2017-12-12 14:32:49 -08:00
$group = "paste"
add trusty support for paste.openstack.org This commit adds support for ubuntu trusty for a new pastebin host named paste01.openstack.org. Change-Id: Ib7073b2e50cb8c545491d98c17251ca79a1575cc
2016-05-02 10:45:14 -07:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::paste':
db_password => hiera('paste_db_password'),
db_host => hiera('paste_db_host'),
vhost_name => 'paste.openstack.org',
}
}
Add trusty node support for planet.openstack.org Change-Id: I082ee6d25dfbc9f81ffacf85cd3cf5257356cf9f
2016-05-23 09:27:29 -07:00
# Node-OS: trusty
Add planet01.openstack.org This is a Xenial host to replace the existing precise version Change-Id: Iafd37e8fe20429b880ac97b5255db19b8c51b85e
2017-03-28 13:57:31 +11:00
# Node-OS: xenial
Correct global site manifest regex for planet.o.o The regex in the global site manifest for planet01.openstack.org needs to also cover the existing planet.openstack.org, so match on 0 or more trailing digits. Change-Id: I98a86d2b65c80a48b523753d5eacd3aca9108268
2017-03-31 18:14:23 +00:00
node /planet\d*\.openstack\.org$/ {
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-06 10:32:48 -07:00
class { 'openstack_project::planet':
Make the fallback sysadmins value the same The fallback value for sysadmins was was admins in some places and admin in others. However, re: jeblair: The fallback value for sysadmins should be "[]", which is actually the default value. Configuring the mail system to send root's mail to an account called 'admin' which may or may not exist and if it does exist may send mail to root is not a good idea. The default of [] will deliver root's mail normally. Change-Id: Iaeca86ef135b6a3210541618d48caf4058dc7966
2014-06-14 08:09:09 -07:00
sysadmins => hiera('sysadmins', []),
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-06 10:32:48 -07:00
}
Add planet support Adds planet module and planet.openstack.org site. Change-Id: Id4d495889346e0a0d85d0fd05e40d451b04d21b1 Note: will not work with current openstack-planet git branch. Update for that comming
2012-02-03 14:37:54 +00:00
}
Upgrade eavesdrop.o.o to Trusty We are upgrading infra servers from Precise to Trusty. This patch aims to upgrade eavesdrop.o.o to Trusty. To that end this patch adds a comment in site.pp # Node-OS: trusty Change-Id: I3c7c6072d423fa446c573ba8ea5cd793fd9a7162
2016-05-23 13:21:06 -04:00
# Node-OS: trusty
Support xenial on eavesdrop Change-Id: I59260853f44e331bfab83be603d9d6ac723ad257
2017-12-11 09:24:02 -08:00
# Node-OS: xenial
node /^eavesdrop\d*\.openstack\.org$/ {
Add eavesdrop into groups.txt Now that we are using a numeric group, we need to add it to groups.txt and update our private hieradata to use groups too. Change-Id: I732d3698b3dfb591c2d6fa71f53e7a27f6143950 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-11 16:18:03 -05:00
$group = "eavesdrop"
Moved the server class settings out of the eavesdrop class Change-Id: Ieb002b252783fc3d9da0c8392d972c940711f5f4 Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-19 14:16:18 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
class { 'openstack_project::eavesdrop':
Switch accessbot to project-config Change-Id: Ie1e6416c0b6d70d647b3c3bcef8843cc06dc73f4
2014-09-19 18:13:26 -07:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from eavesdrop. Change-Id: Iff413a1125be597256c940bdd6e29c0359473cd0
2015-10-16 14:19:34 -07:00
nickpass => hiera('openstack_meetbot_password'),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
statusbot_nick => hiera('statusbot_nick', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from eavesdrop. Change-Id: Iff413a1125be597256c940bdd6e29c0359473cd0
2015-10-16 14:19:34 -07:00
statusbot_password => hiera('statusbot_nick_password'),
Add statusbot to eavesdrop.o.o. Change-Id: I3ae19a6321827b82ebf864182a1e5a90253b9c39 Reviewed-on: https://review.openstack.org/25755 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2013-03-29 13:47:38 -07:00
statusbot_server => 'chat.freenode.net',
Use In-Tree Public Hiera data Also make the apply-test public-hiera aware Change-Id: I761bf49ed6279a492cabeca878ec5e7c0fac3d0e
2015-07-28 18:05:08 -07:00
statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
Move statusbot_auth_nicks to hiera Follow the same pattern as channels Depends-On: Ief0848ac8e2f2132455c07c0e5d113c7b3def5ca Change-Id: I1f10e74e9b9571b6b90dea75c8319243f368f975
2016-01-29 13:34:24 -08:00
statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from eavesdrop. Change-Id: Iff413a1125be597256c940bdd6e29c0359473cd0
2015-10-16 14:19:34 -07:00
statusbot_wiki_password => hiera('statusbot_wiki_password'),
Add statusbot to eavesdrop.o.o. Change-Id: I3ae19a6321827b82ebf864182a1e5a90253b9c39 Reviewed-on: https://review.openstack.org/25755 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2013-03-29 13:47:38 -07:00
statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
Enable the #success feature in statusbot This adds the configuration bits to enable the #success command in statusbot. Depends-On: I66b577732d1fec271a42f9229a8b5af2e52a58f4 Change-Id: Id26fb1a9dc27874040d2f5dd05bf20140d07512b
2015-09-17 16:43:37 +02:00
# https://wiki.openstack.org/wiki/Infrastructure_Status
Add statusbot to eavesdrop.o.o. Change-Id: I3ae19a6321827b82ebf864182a1e5a90253b9c39 Reviewed-on: https://review.openstack.org/25755 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2013-03-29 13:47:38 -07:00
statusbot_wiki_pageid => '1781',
Enable the #success feature in statusbot This adds the configuration bits to enable the #success command in statusbot. Depends-On: I66b577732d1fec271a42f9229a8b5af2e52a58f4 Change-Id: Id26fb1a9dc27874040d2f5dd05bf20140d07512b
2015-09-17 16:43:37 +02:00
# https://wiki.openstack.org/wiki/Successes
statusbot_wiki_successpageid => '7717',
Enable the #thanks feature in statusbot This adds the configuration bits to enable the #thanks command in statusbot. Change-Id: I96873f3f764d9b8b77eb2ce68de24ccb56862a15 Depends-On: I9fd10cbaa315d2a418f3bb65ff7e40014701ec85
2017-06-12 09:54:40 -07:00
# https://wiki.openstack.org/wiki/Thanks
statusbot_wiki_thankspageid => '37700',
Enable the #success feature in statusbot This adds the configuration bits to enable the #success command in statusbot. Depends-On: I66b577732d1fec271a42f9229a8b5af2e52a58f4 Change-Id: Id26fb1a9dc27874040d2f5dd05bf20140d07512b
2015-09-17 16:43:37 +02:00
statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
Add Twitter account details to our statusbot Change-Id: I62c767eeab472ac79bf18ba0177ed80b08dbf8fa Depends-on: Ia861189ea10d0056afb43fe6a6fd1e51d4ffb4bf
2016-09-09 14:43:51 -07:00
statusbot_twitter => true,
statusbot_twitter_key => hiera('statusbot_twitter_key'),
statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
Remove statusbot_accessbot_nick This was and should have remained $accessbot_nick, but was inadvertently changed in I62c767eeab472ac79bf18ba0177ed80b08dbf8fa. Change-Id: If65833b2ebd15be7c7f002c20e466e095a886334
2016-12-14 14:04:28 -08:00
accessbot_nick => hiera('accessbot_nick', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from eavesdrop. Change-Id: Iff413a1125be597256c940bdd6e29c0359473cd0
2015-10-16 14:19:34 -07:00
accessbot_password => hiera('accessbot_nick_password'),
Use public hiera for meetbot channels list This list is data, lets put it in yaml Change-Id: I6e77ae49c3a0f991d011a3e11e4668dbad349b9f
2015-12-04 16:43:57 -08:00
meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
Install ptgbot on eavesdrop.o.o This installs the ptgbot Puppet module so it will run from the eavesdrop.openstack.org server and generate its Web content there. Include some rudimentary operational documentation. Change-Id: I92ddbbb683dede2c325f70267bd5e26884a35c01 Depends-On: Idb1fc5273b67ab88e1c78578275969b04c781c7a
2017-07-06 19:41:03 +00:00
ptgbot_nick => hiera('ptgbot_nick', 'username'),
ptgbot_password => hiera('ptgbot_password'),
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
}
Puts meetbot under control of puppet Adds meetbot and an nginx setup to puppet. See manifests/site.pp for usage Change-Id: I47dcf2884a06441b482585bf5dae9f7d0bd7e543
2012-04-15 16:06:41 +01:00
}
Deploy simple ethercalc server This is a simple first deployment of an ethercalc service. It does not come with authenticated redis or redis backups. It will however have working ssl. Change-Id: I8c434a6bff42bce75e67fb37665d213f3cc018c8 Depends-On: Id10247211d9643e81bb1b6e8fb67377ba6de873a
2017-01-24 11:00:31 -08:00
# Node-OS: trusty
Add xenial for ethercalc testing Change-Id: I69a25d38b5d5a6f5eab416358a049c334f281a5e
2017-12-11 16:19:28 +11:00
# Node-OS: xenial
Deploy simple ethercalc server This is a simple first deployment of an ethercalc service. It does not come with authenticated redis or redis backups. It will however have working ssl. Change-Id: I8c434a6bff42bce75e67fb37665d213f3cc018c8 Depends-On: Id10247211d9643e81bb1b6e8fb67377ba6de873a
2017-01-24 11:00:31 -08:00
node /^ethercalc\d+\.openstack\.org$/ {
$group = "ethercalc"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::ethercalc':
vhost_name => 'ethercalc.openstack.org',
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
ssl_key_file_contents => hiera('ssl_key_file_contents'),
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
}
}
Upgrade etherpad to Ubuntu Trusty Upgrade etherpad to Ubuntu Trusty and switch from node.js compiled from source to the nodejs/npm distro packages there, and switch to the current latest "develop" branch tip tested and known working from the etherpad-dev server. Change-Id: I5ce02ad5424c3f6cf0dbd1bc067babacf13a3b2f
2015-08-20 17:10:29 +00:00
# Node-OS: trusty
Support xenial on etherpad and etherpad-dev Change-Id: I8a84b1f1db06fc0e6f29b1fc0e60f64c8cd7e7da
2017-12-11 09:26:13 -08:00
# Node-OS: xenial
node /^etherpad\d*\.openstack\.org$/ {
Moved out the server class from the etherpad and etherpad-dev classes Change-Id: If08e1eb8bacfbbf88546813b8b6dcd2ae2e7c8ee Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-20 10:00:28 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
class { 'openstack_project::etherpad':
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from etherpad. Change-Id: I63643bfd509743722bc95936823e51ec51413ff1
2015-10-16 14:20:37 -07:00
ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
mysql_host => hiera('etherpad_db_host', 'localhost'),
mysql_user => hiera('etherpad_db_user', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from etherpad. Change-Id: I63643bfd509743722bc95936823e51ec51413ff1
2015-10-16 14:20:37 -07:00
mysql_password => hiera('etherpad_db_password'),
Move hiera calls into site.pp. Secret info should be parameters to modules. It makes for easier testing. Change-Id: I66034387094b2a24c6fae57fec3af1dae3dd1d3a
2012-07-26 18:58:35 -05:00
}
Update eplite module for new version of eplite. Etherpad lite has changed their source tree slightly. This has required a few updates to the etherpad lite puppet module. The custom pad.js needs to go in a different directory and the upstart conf file needs a couple updated paths. In addition to the fixes a couple things have been cleaned up. Now define an etherpadlite.openstack.org node in site.pp and copy SSL certs from /root/secret-files. Change-Id: I312b419aa98212b6db68232c672bc4d75f23777f
2012-05-31 23:16:57 +00:00
}
Upgrade etherpad-dev to Ubuntu Trusty Upgrade etherpad-dev to Ubuntu Trusty and switch from node.js compiled from source to the nodejs/npm distro packages there. Change-Id: Ia1830c88bdd0fc7e934ebbca4fcbfb9996151d13
2015-08-20 17:00:54 +00:00
# Node-OS: trusty
Support xenial on etherpad and etherpad-dev Change-Id: I8a84b1f1db06fc0e6f29b1fc0e60f64c8cd7e7da
2017-12-11 09:26:13 -08:00
# Node-OS: xenial
node /^etherpad-dev\d*\.openstack\.org$/ {
Moved out the server class from the etherpad and etherpad-dev classes Change-Id: If08e1eb8bacfbbf88546813b8b6dcd2ae2e7c8ee Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-20 10:00:28 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Add etherpad-dev node and host class. We now host etherpad.openstack.org. To properly test upgrades and things add a proper etherpad-dev host to puppet. Currently the configuration is set to mimic that which is on etherpad.o.o. Once the -dev host is up and running it will be used to test upgrades to more modern etherpad lite and node.js version. Also at some point we will probably want to use the puppetlabs-mysql module to manage the mysql instances for etherpad. This dev host makes that easier. Change-Id: I63500026a1a38d7c4dd5b00cc869586eb2483497 Reviewed-on: https://review.openstack.org/14861 Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-10-25 16:09:13 -07:00
class { 'openstack_project::etherpad_dev':
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
mysql_user => hiera('etherpad-dev_db_user', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from etherpad. Change-Id: I63643bfd509743722bc95936823e51ec51413ff1
2015-10-16 14:20:37 -07:00
mysql_password => hiera('etherpad-dev_db_password'),
Add etherpad-dev node and host class. We now host etherpad.openstack.org. To properly test upgrades and things add a proper etherpad-dev host to puppet. Currently the configuration is set to mimic that which is on etherpad.o.o. Once the -dev host is up and running it will be used to test upgrades to more modern etherpad lite and node.js version. Also at some point we will probably want to use the puppetlabs-mysql module to manage the mysql instances for etherpad. This dev host makes that easier. Change-Id: I63500026a1a38d7c4dd5b00cc869586eb2483497 Reviewed-on: https://review.openstack.org/14861 Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-10-25 16:09:13 -07:00
}
}
Test wiki.o.o manifest on Ubuntu Trusty The production wiki.openstack.org has been manually upgraded to Ubuntu Trusty, and the Mediawiki Puppet module work in progress is also targeting Trusty and doesn't strictly need to worry about compatibility with Precise any longer, so just perform the mock deployment on ubuntu-trusty nodes now. Change-Id: Ic7ba80524d0c2b3ed46906c55b03194a1a01681b
2016-08-19 02:00:30 +00:00
# Node-OS: trusty
Use a host group for wiki.o.o In keeping with our decision in Austin to start appending ordinal suffixes to hostnames for new server instances, switch the node definition for wiki.openstack.org to allow a new wiki01.openstack.org to match. The production server has Puppet temporarily disabled, and the FQDN hiera keys have already been moved to a new "wiki" group file. As a requirement for this work, also purge remaining "FQDNisms" from the openstack_project::wiki class by making the site name a classvar and removing redundant SSL filenames which now merely mirror the defaults in the mediawiki module anyway. Change-Id: I950cb68ecd34e82f0da6b10bf2b93fb2c349286f
2016-08-29 19:49:45 +00:00
node /^wiki\d+\.openstack\.org$/ {
$group = "wiki"
Initial commit of MediaWiki module Change-Id: I6181e0d4a717d0a11ea2d741034db99435d5e180 Reviewed-on: https://review.openstack.org/10521 Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-07-30 00:23:41 -07:00
class { 'openstack_project::wiki':
Shorten wiki.o.o hiera keys Now that we're using per-host hiera files, we no longer need namespaced prefixes on our hiera keys. Accordingly, shorten the hiera keys for wiki.openstack.org to more generic names. Change-Id: I7bf73962cd9a68e637a0cbb3183cd22b612fd9b6
2016-08-20 15:05:58 +00:00
sysadmins => hiera('sysadmins', []),
Add a wiki-dev.o.o server to test newer mediawiki The wiki-dev.openstack.org server will eventually be used to test newer versions of Mediawiki and extensions/skins. To accommodate this, also parameterize server backups so that they don't conflict with production (and are in fact disabled entirely for the dev site). Change-Id: I6505d3af87f670e71a440c76873c085d97e5b82f
2016-08-20 15:22:46 +00:00
bup_user => 'bup-wiki',
Set the Apache ServerAdmin on wiki.o.o from hiera Our mediawiki module now allows setting the ServerAdmin in its Apache vhost config as a class parameter. Fill it from hiera so that people copying our global site manifest don't inadvertently configure servers to list us as their webmaster. Change-Id: I280d8fdf3f8c53d4a105b1739f7d0af83031d0b4
2016-08-22 19:45:12 +00:00
serveradmin => hiera('infra_apache_serveradmin'),
Use a host group for wiki.o.o In keeping with our decision in Austin to start appending ordinal suffixes to hostnames for new server instances, switch the node definition for wiki.openstack.org to allow a new wiki01.openstack.org to match. The production server has Puppet temporarily disabled, and the FQDN hiera keys have already been moved to a new "wiki" group file. As a requirement for this work, also purge remaining "FQDNisms" from the openstack_project::wiki class by making the site name a classvar and removing redundant SSL filenames which now merely mirror the defaults in the mediawiki module anyway. Change-Id: I950cb68ecd34e82f0da6b10bf2b93fb2c349286f
2016-08-29 19:49:45 +00:00
site_hostname => 'wiki.openstack.org',
Shorten wiki.o.o hiera keys Now that we're using per-host hiera files, we no longer need namespaced prefixes on our hiera keys. Accordingly, shorten the hiera keys for wiki.openstack.org to more generic names. Change-Id: I7bf73962cd9a68e637a0cbb3183cd22b612fd9b6
2016-08-20 15:05:58 +00:00
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
ssl_key_file_contents => hiera('ssl_key_file_contents'),
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
wg_dbserver => hiera('wg_dbserver'),
wg_dbname => 'openstack_wiki',
wg_dbuser => 'wikiuser',
wg_dbpassword => hiera('wg_dbpassword'),
wg_secretkey => hiera('wg_secretkey'),
wg_upgradekey => hiera('wg_upgradekey'),
wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
Initial commit of MediaWiki module Change-Id: I6181e0d4a717d0a11ea2d741034db99435d5e180 Reviewed-on: https://review.openstack.org/10521 Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-07-30 00:23:41 -07:00
}
Add wiki.openstack.org. Add Ryan Lane's ssh key, and add him to wiki.o.o. Change-Id: I6b81107b3b1c84c6e730caf77842e80e81d80a76
2012-07-16 15:29:28 -07:00
}
Add a wiki-dev.o.o server to test newer mediawiki The wiki-dev.openstack.org server will eventually be used to test newer versions of Mediawiki and extensions/skins. To accommodate this, also parameterize server backups so that they don't conflict with production (and are in fact disabled entirely for the dev site). Change-Id: I6505d3af87f670e71a440c76873c085d97e5b82f
2016-08-20 15:22:46 +00:00
# Node-OS: trusty
node /^wiki-dev\d+\.openstack\.org$/ {
$group = "wiki-dev"
class { 'openstack_project::wiki':
sysadmins => hiera('sysadmins', []),
serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki-dev.openstack.org',
wg_dbserver => hiera('wg_dbserver'),
wg_dbname => 'openstack_wiki',
wg_dbuser => 'wikiuser',
wg_dbpassword => hiera('wg_dbpassword'),
wg_secretkey => hiera('wg_secretkey'),
wg_upgradekey => hiera('wg_upgradekey'),
wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
Disallow robots for wiki-dev site We don't want old, stale copies of our production wiki content showing up in search engines, so set the mediawiki module parameter that disallows robots from indexing the site. Change-Id: If8a2f2c2c00715ecce0ac1aa279f649ec84496a1 Depends-On: Ic62a72555315bd344db338809920a3605f17c8c6
2016-09-07 20:47:27 +00:00
disallow_robots => true,
Add a wiki-dev.o.o server to test newer mediawiki The wiki-dev.openstack.org server will eventually be used to test newer versions of Mediawiki and extensions/skins. To accommodate this, also parameterize server backups so that they don't conflict with production (and are in fact disabled entirely for the dev site). Change-Id: I6505d3af87f670e71a440c76873c085d97e5b82f
2016-08-20 15:22:46 +00:00
}
}
Test logstash.o.o on trusty. This is in prep for switching over to trusty for the logstash proxy host. Change-Id: I0360e1a5bbe7524697c7b9b62ec1292b3f944bad
2016-05-25 14:44:34 -07:00
# Node-OS: trusty
Support xenial on logstash Change-Id: I9f7fe408d5706bc73376897b2c9aa35139796904
2017-12-11 09:27:01 -08:00
# Node-OS: xenial
node /^logstash\d*\.openstack\.org$/ {
Moved the server class out from the logstash and logstash_worker class Change-Id: I96df327f278714fb393dca887b8db1e01ca7504d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-22 11:41:31 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 3306],
Update logstash gearman client firewall rules This converts the config for logstsah gearman client firewall rules to use the new puppet-iptables iptables_allowed_hosts feature. This works around an issue with netfilter-persistent starting before dns resolution is working on boot. Change-Id: I76c45d8edbfe9f5420884e0ef2fb62cff2cc2bc9
2017-12-14 13:54:39 -08:00
iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'),
Moved the server class out from the logstash and logstash_worker class Change-Id: I96df327f278714fb393dca887b8db1e01ca7504d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-22 11:41:31 -04:00
sysadmins => hiera('sysadmins', []),
}
Add skeleton logstash module. This new logstash module adds classes to install logstash agents and indexers as well as redis and elasticsearch. The configuration for each of these services is rudimentary but it shouldn't be difficult to expand the configs and make them useful. Also, add a logstash.openstack.org node that will have an agent, indexer, web frontend, redis, and elasticsearch installed on it. Change-Id: I25b635f088f99d45cfaa70ed122c6433d3784937 Reviewed-on: https://review.openstack.org/19871 Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Approved: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Tested-by: Jenkins
2013-01-16 15:01:25 -08:00
class { 'openstack_project::logstash':
Moved the server class out from the logstash and logstash_worker class Change-Id: I96df327f278714fb393dca887b8db1e01ca7504d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-22 11:41:31 -04:00
discover_nodes => [
Install and run elasticsearch on new workers Add the actual elasticsearch module and associated parameters to the new worker nodes, and put them in the node and discovery lists. Change-Id: I0b55e4c5c8a3f0864dab2b2bf7f498b65bc20fd2
2014-02-25 00:07:17 +00:00
'elasticsearch03.openstack.org:9200',
'elasticsearch04.openstack.org:9200',
'elasticsearch05.openstack.org:9200',
'elasticsearch06.openstack.org:9200',
Add elasticsearch07 Add elasticsearch07 node. Move the elasticsearch discover node to elasticsearch02 instead of 01 as we are moving away from 01 as part of the 07 addition. Change-Id: I2aa857ec4984ae1fc2f8e27f437f8ecc61d24fbd
2014-06-13 11:19:34 -07:00
'elasticsearch07.openstack.org:9200',
Prepare for replacing elasticsearch02 logstash uses the first of the discover_nodes as proxy, so we need to rotate the list in order to be able to replace the first node without impacting service. Also replace the discover_node for the logstash-workers accordingly. Change-Id: Ib6f6d19a766021f9f16fb3bc2de1d80df66f7671
2017-12-15 15:10:41 +00:00
'elasticsearch02.openstack.org:9200',
Fix logstash.o.o elasticsearch discover node list. Logstash.o.o needs to be given the host and port for its elasticsearch discover node list. Fix the change that used just a list of hosts. Change-Id: If421007f633eb54a5dc65d5ede57d1e0a6f1c5d9
2013-08-06 10:46:00 -07:00
],
Moved the server class out from the logstash and logstash_worker class Change-Id: I96df327f278714fb393dca887b8db1e01ca7504d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-22 11:41:31 -04:00
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
Scale out logstash indexing to multiple hosts. Logstash performs filtering in a single thread so it does not scale up very well. Work around this by scaling Logstash out to multiple indexer hosts. Current plan is to have a small (2GB) kibana web front end host that does nothing but talk to elasticsearch, three 4GB logstash indexers that will run a single log-pusher.py + logstash indexer with some partition of the logfiles assigned to each indexer, and finally the existing large elasticsearch node. Eventually properly load balancing log processing across the worker nodes would be great, but the current partition method should work well enough with little additional effort. Change-Id: Ifc6396560934314ffd6a7c47eb2acff9e9c2a7af Reviewed-on: https://review.openstack.org/30573 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
2013-05-26 16:08:46 -07:00
}
}
Migrate logstash-worker to ubuntu-trusty This is part of our effort to migrate servers from ubuntu precise to ubuntu trusty. Change-Id: I257458e6d282fa867663c248a94ed3f29eed32de Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-24 15:53:35 -04:00
# Node-OS: trusty
Support xenial on logstash-worker Change-Id: I03b665176844a4ecc8eeeb955e42ecef23df2e1d
2017-12-11 09:27:33 -08:00
# Node-OS: xenial
Scale out logstash indexing to multiple hosts. Logstash performs filtering in a single thread so it does not scale up very well. Work around this by scaling Logstash out to multiple indexer hosts. Current plan is to have a small (2GB) kibana web front end host that does nothing but talk to elasticsearch, three 4GB logstash indexers that will run a single log-pusher.py + logstash indexer with some partition of the logfiles assigned to each indexer, and finally the existing large elasticsearch node. Eventually properly load balancing log processing across the worker nodes would be great, but the current partition method should work well enough with little additional effort. Change-Id: Ifc6396560934314ffd6a7c47eb2acff9e9c2a7af Reviewed-on: https://review.openstack.org/30573 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
2013-05-26 16:08:46 -07:00
node /^logstash-worker\d+\.openstack\.org$/ {
Moved the server class out from the logstash and logstash_worker class Change-Id: I96df327f278714fb393dca887b8db1e01ca7504d Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-22 11:41:31 -04:00
$group = 'logstash-worker'
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
sysadmins => hiera('sysadmins', []),
}
Scale out logstash indexing to multiple hosts. Logstash performs filtering in a single thread so it does not scale up very well. Work around this by scaling Logstash out to multiple indexer hosts. Current plan is to have a small (2GB) kibana web front end host that does nothing but talk to elasticsearch, three 4GB logstash indexers that will run a single log-pusher.py + logstash indexer with some partition of the logfiles assigned to each indexer, and finally the existing large elasticsearch node. Eventually properly load balancing log processing across the worker nodes would be great, but the current partition method should work well enough with little additional effort. Change-Id: Ifc6396560934314ffd6a7c47eb2acff9e9c2a7af Reviewed-on: https://review.openstack.org/30573 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
2013-05-26 16:08:46 -07:00
class { 'openstack_project::logstash_worker':
Prepare for replacing elasticsearch02 logstash uses the first of the discover_nodes as proxy, so we need to rotate the list in order to be able to replace the first node without impacting service. Also replace the discover_node for the logstash-workers accordingly. Change-Id: Ib6f6d19a766021f9f16fb3bc2de1d80df66f7671
2017-12-15 15:10:41 +00:00
discover_node => 'elasticsearch03.openstack.org',
Revert "Revert "Disable mqtt output plugin on logstash workers"" The mqtt connections seem to be crashing the logstash daemons. So lets revert this for the time being and when we fix the root cause we can turn it back on. This reverts commit eb72771d6f5ca6e21215b40118181ccb97859bec. Change-Id: Ieaed43f5b94e0c5e2c98b0d627490d388e48261d
2016-09-30 17:43:38 -04:00
enable_mqtt => false,
Use MQTT output plugin on logstash workers This commit will enable the mqtt output plugin on logstash workers. So now we'll be emitting logstash events to the firehose for anyone to listen to. Change-Id: I570a461ee13f5dfa5494554df1cc321fc6cdbf6c Depends-On: I7255f6c256ab3e3ca33caf69b71bf4ffab02c1bb
2016-09-13 12:42:47 -04:00
mqtt_password => hiera('mqtt_service_user_password'),
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
Add skeleton logstash module. This new logstash module adds classes to install logstash agents and indexers as well as redis and elasticsearch. The configuration for each of these services is rudimentary but it shouldn't be difficult to expand the configs and make them useful. Also, add a logstash.openstack.org node that will have an agent, indexer, web frontend, redis, and elasticsearch installed on it. Change-Id: I25b635f088f99d45cfaa70ed122c6433d3784937 Reviewed-on: https://review.openstack.org/19871 Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Approved: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Tested-by: Jenkins
2013-01-16 15:01:25 -08:00
}
}
Add subunit2sql workers This commit adds the subunit2sql workers to site.pp Change-Id: I0bf526611602c15b062ffca920a740dda7515200
2014-11-17 09:48:55 -05:00
# Node-OS: trusty
Support xenial on subunit-worker Change-Id: I47f2d72ee814a2fff33b4f81b010008219545b62 Depends-On: I4f7db205ac4ae29953757220dc0b9ae026ebbc71
2017-12-11 09:27:59 -08:00
# Node-OS: xenial
Add subunit2sql workers This commit adds the subunit2sql workers to site.pp Change-Id: I0bf526611602c15b062ffca920a740dda7515200
2014-11-17 09:48:55 -05:00
node /^subunit-worker\d+\.openstack\.org$/ {
Set $group at node scope for hiera lookups In order to support ansible copying split-out hiera files from the master to the nodes, we need to support group files in addition to just fqdn and common files. Change-Id: I0732cc8521bc5f6588f5de286f874a69ef45ab14
2015-03-16 12:47:42 -07:00
$group = "subunit-worker"
Move out server class from subunit_worker.pp Change-Id: Ic23472198c6a1842398c2a44de4a08ef89e1fb71 Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.htm
2015-07-09 14:40:01 -05:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
sysadmins => hiera('sysadmins', []),
}
Add subunit2sql workers This commit adds the subunit2sql workers to site.pp Change-Id: I0bf526611602c15b062ffca920a740dda7515200
2014-11-17 09:48:55 -05:00
class { 'openstack_project::subunit_worker':
Correct the ca-cert for mqtt on subunit worker This patch fixes a mistake on my part, previously the location of the ca certs on archlinux, but on ubuntu this isn't where they live. So the mqtt libs can't properly encrypt the traffic and things are getting stuck in a loop and not working. This commit fixes this by writing the cert from instantssl/comodo to disk and then pointing the worker at that. This way it should always work. Change-Id: I21b1a64b457545115ff862e3c3388c5892c5497b
2017-04-25 17:14:03 -04:00
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
mqtt_pass => hiera('mqtt_service_user_password'),
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
Add subunit2sql workers This commit adds the subunit2sql workers to site.pp Change-Id: I0bf526611602c15b062ffca920a740dda7515200
2014-11-17 09:48:55 -05:00
}
}
Migrate elasticsearch to ubuntu-trusty This is part of our effort to migrate servers from ubuntu precise to ubuntu trusty. Change-Id: Ie259644eeac808d4f332a3fd165a432fad4191fb Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-24 16:04:57 -04:00
# Node-OS: trusty
Support xenial on elasticsearch Change-Id: I9fc0db51726b93b247a94d3f356bd825e9354083
2017-12-11 09:28:45 -08:00
# Node-OS: xenial
Add elasticsearch07 Add elasticsearch07 node. Move the elasticsearch discover node to elasticsearch02 instead of 01 as we are moving away from 01 as part of the 07 addition. Change-Id: I2aa857ec4984ae1fc2f8e27f437f8ecc61d24fbd
2014-06-13 11:19:34 -07:00
node /^elasticsearch0[1-7]\.openstack\.org$/ {
Set $group at node scope for hiera lookups In order to support ansible copying split-out hiera files from the master to the nodes, we need to support group files in addition to just fqdn and common files. Change-Id: I0732cc8521bc5f6588f5de286f874a69ef45ab14
2015-03-16 12:47:42 -07:00
$group = "elasticsearch"
Move out server class from elasticsearch_node.pp Change-Id: Ic49e815e7346280de31891eb11faccb7cad3adad Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.htm
2015-07-09 14:41:43 -05:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
Update elasticsearch firewall rules This converts the config for elasticsearch cluster client firewall rules to use the new puppet-iptables iptables_allowed_hosts feature. This works around an issue with netfilter-persistent starting before dns resolution is working on boot. Change-Id: I81b7598cb32d498b219ee00f0589e6bf0dc8c242
2017-12-14 14:09:05 -08:00
iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'),
Move out server class from elasticsearch_node.pp Change-Id: Ic49e815e7346280de31891eb11faccb7cad3adad Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.htm
2015-07-09 14:41:43 -05:00
sysadmins => hiera('sysadmins', []),
}
Install and run elasticsearch on new workers Add the actual elasticsearch module and associated parameters to the new worker nodes, and put them in the node and discovery lists. Change-Id: I0b55e4c5c8a3f0864dab2b2bf7f498b65bc20fd2
2014-02-25 00:07:17 +00:00
class { 'openstack_project::elasticsearch_node':
Update elasticsearch firewall rules This converts the config for elasticsearch cluster client firewall rules to use the new puppet-iptables iptables_allowed_hosts feature. This works around an issue with netfilter-persistent starting before dns resolution is working on boot. Change-Id: I81b7598cb32d498b219ee00f0589e6bf0dc8c242
2017-12-14 14:09:05 -08:00
discover_nodes => $elasticsearch_nodes,
Switch to dedicated elasticsearch node. Switch to a large dedicated elasticsearch node as sharing resources between logstash, kibana, jenkins-log-pusher, and elasticsearch results in a constrained environment. Change-Id: I39e6210f2c577429be2cb38aca09111a0f56f9be Reviewed-on: https://review.openstack.org/30344 Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
2013-05-23 14:08:58 -07:00
}
}
Add firehose.o.o config to system-config This commit adds the policy to configure firehose nodes which will run mosquitto and a germqtt daemon. Depends-On: Ibec91fd0abc637ea7087872cab1ec8487c73acae Depends-On: I24a0cdb6a41f6e440db8e68216b19ca61b4cba31 Change-Id: Ie3be71e16c42c32a9f479da468db6c53ebae52ac
2016-07-26 19:03:55 -04:00
# Node-OS: xenial
node /^firehose\d+\.openstack\.org$/ {
class { 'openstack_project::server':
Temporarily block port 80 and port 8080 on firehose We're able to pretty reliably crash firehose with multiple websocket connections at once. So to prevent us from DOS ourselves lets block off the websocket ports for now. We can revert this when we have a remedy in place. Change-Id: I909ad4b160a152ae9b909a9e9a1e5d63afa39345
2016-09-27 18:04:23 -04:00
# NOTE(mtreinish) Port 80 and 8080 are disabled because websocket
# connections seem to crash mosquitto. Once this is fixed we should add
# them back
iptables_public_tcp_ports => [22, 25, 1883, 8883],
Add firehose.o.o config to system-config This commit adds the policy to configure firehose nodes which will run mosquitto and a germqtt daemon. Depends-On: Ibec91fd0abc637ea7087872cab1ec8487c73acae Depends-On: I24a0cdb6a41f6e440db8e68216b19ca61b4cba31 Change-Id: Ie3be71e16c42c32a9f479da468db6c53ebae52ac
2016-07-26 19:03:55 -04:00
sysadmins => hiera('sysadmins', []),
Add email servers to firehose A requirement for running lpmqtt is to have an imap server that is subscribed to launchpad notifications to use as a source for the event stream. However there is no preexisting imap server setup anywhere to use for this. This commit deploys the necessary components for the imap server. Setting up the launchpad user and the subscription will be a manual process. Change-Id: I063ac9da89d227ac59ca1cb8765e3615d7bfdbba
2016-09-13 16:15:56 -04:00
manage_exim => false,
Add firehose.o.o config to system-config This commit adds the policy to configure firehose nodes which will run mosquitto and a germqtt daemon. Depends-On: Ibec91fd0abc637ea7087872cab1ec8487c73acae Depends-On: I24a0cdb6a41f6e440db8e68216b19ca61b4cba31 Change-Id: Ie3be71e16c42c32a9f479da468db6c53ebae52ac
2016-07-26 19:03:55 -04:00
}
class { 'openstack_project::firehose':
Add email servers to firehose A requirement for running lpmqtt is to have an imap server that is subscribed to launchpad notifications to use as a source for the event stream. However there is no preexisting imap server setup anywhere to use for this. This commit deploys the necessary components for the imap server. Setting up the launchpad user and the subscription will be a manual process. Change-Id: I063ac9da89d227ac59ca1cb8765e3615d7bfdbba
2016-09-13 16:15:56 -04:00
sysadmins => hiera('sysadmins', []),
Add firehose.o.o config to system-config This commit adds the policy to configure firehose nodes which will run mosquitto and a germqtt daemon. Depends-On: Ibec91fd0abc637ea7087872cab1ec8487c73acae Depends-On: I24a0cdb6a41f6e440db8e68216b19ca61b4cba31 Change-Id: Ie3be71e16c42c32a9f479da468db6c53ebae52ac
2016-07-26 19:03:55 -04:00
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
Fix hiera lookup for Firehose public key It was pulling the private key. Change-Id: Iff51947fe486f7b3a12119ca1c9cafb346d88e2c
2016-08-02 09:45:10 +02:00
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
Add firehose.o.o config to system-config This commit adds the policy to configure firehose nodes which will run mosquitto and a germqtt daemon. Depends-On: Ibec91fd0abc637ea7087872cab1ec8487c73acae Depends-On: I24a0cdb6a41f6e440db8e68216b19ca61b4cba31 Change-Id: Ie3be71e16c42c32a9f479da468db6c53ebae52ac
2016-07-26 19:03:55 -04:00
gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
mqtt_password => hiera('mqtt_service_user_password'),
Add tls support to firehose This commit adds the necessary configuration to pass the tls certs to the puppet-mosquitto module to configure 2 tls enabled ports on the mosquitto server. Change-Id: I128b2bb5d061794746bedd7541988c65abcaafff Depends-On: I7c77285e347d8c1b2c3318360258246b78f885a8
2016-08-08 11:03:11 -04:00
ca_file => hiera('mosquitto_tls_ca_file'),
cert_file => hiera('mosquitto_tls_server_cert_file'),
key_file => hiera('mosquitto_tls_server_key_file'),
Add lpmqtt to firehose deployments This commit adds deploying a running lpmqtt to firehose nodes. Change-Id: Ia9d659e282a2a992b8c1a7a48577f3e59793effa Depends-On: I613330e2bff2e6fe1cacd7e53f3c189584978ea2
2016-08-30 18:26:43 -04:00
imap_hostname => hiera('lpmqtt_imap_server'),
imap_username => hiera('lpmqtt_imap_username'),
imap_password => hiera('lpmqtt_imap_password'),
Add mqtt_statsd to firehose config To get metrics on MQTT usage into graphite/grafana this commit adds running mqtt_statsd on firehose Change-Id: I90bb2c4fc7e409e9af24ca7cec7ad9d7926739e9 Depends-On: I28058bf6eac2354e3ceba0011464509ed6bdd869
2017-04-05 00:21:50 -04:00
statsd_host => 'graphite.openstack.org',
Add firehose.o.o config to system-config This commit adds the policy to configure firehose nodes which will run mosquitto and a germqtt daemon. Depends-On: Ibec91fd0abc637ea7087872cab1ec8487c73acae Depends-On: I24a0cdb6a41f6e440db8e68216b19ca61b4cba31 Change-Id: Ie3be71e16c42c32a9f479da468db6c53ebae52ac
2016-07-26 19:03:55 -04:00
}
}
Update git frontend regex to support more nodes We are going to round robin multiple git.openstack.org frontends. Before we build new nodes to do that we need to update the site.pp to properlly configure new nodes with these names. New name format will be git-frontendXX.openstack.org. Change-Id: Id7f9405909c91e457270687592948456db3aa420
2014-12-09 13:17:57 -08:00
# CentOS machines to load balance git access.
Allow haproxy to bind to all ports in selinux By default haproxy can only bind to HTTP(S) ports all other ports can't be bound due to the selinux policy. Simple fix for this is to toggle the boolean that allows haproxy to bind any port in the selinux policy. Do this with an exec that first checks if the boolean is set. Change-Id: I49c8bdc3586fa82cd954a6ef9be27f48f9a623ec
2015-11-20 12:13:42 -08:00
# Node-OS: centos7
Use 'fe' instead of 'frontend' There is some preference for using shorter host names so make git-frontendXX git-feXX instead. Change-Id: I8a5d80b3f0df537890abd18a22e62a22bc19c51f
2014-12-09 13:40:24 -08:00
node /^git(-fe\d+)?\.openstack\.org$/ {
Set $group at node scope for hiera lookups In order to support ansible copying split-out hiera files from the master to the nodes, we need to support group files in addition to just fqdn and common files. Change-Id: I0732cc8521bc5f6588f5de286f874a69ef45ab14
2015-03-16 12:47:42 -07:00
$group = "git-loadbalancer"
Add cgit web service and git server Define git.openstack.org server and deploy cgit web service with Apache on CentOS. Change-Id: Id3c7c870e25e4202915bc081454896895084f9af
2013-07-11 11:21:02 -07:00
class { 'openstack_project::git':
Make the fallback sysadmins value the same The fallback value for sysadmins was was admins in some places and admin in others. However, re: jeblair: The fallback value for sysadmins should be "[]", which is actually the default value. Configuring the mail system to send root's mail to an account called 'admin' which may or may not exist and if it does exist may send mail to root is not a good idea. The default of [] will deliver root's mail normally. Change-Id: Iaeca86ef135b6a3210541618d48caf4058dc7966
2014-06-14 08:09:09 -07:00
sysadmins => hiera('sysadmins', []),
Load balance git requests. * install_modules.sh: Add puppetlabs-haproxy forge module. * modules/cgit/manifests/init.pp: Add haproxy config to load balance https, https and git protocol git access. Each git server will host git http on port 8080, https on port 4443 and git protocol on 29418. These endpoints will then be load balanced by a single haproxy instance listening on ports 80, 443 and 9418. The use of haproxy and having services listen on offset ports to accomodate haproxy is toggleable using the $balance_git and $behind_proxy boolean flags. Additionally, configure rsyslog for haproxy. * modules/cgit/files/rsyslog.haproxy.conf: Enable syslog over UDP on port 514. This is needed by haproxy to perform logging. Send local0 messages to /var/log/haproxy.log. * modules/cgit/templates/ssl.conf.erb: Make Apache https listen port configurable. Remove default virtualhost. * modules/cgit/templates/httpd.conf.erb: Make Apache http listen port configurable. * modules/cgit/templates/git.vhost..erb: Make Apache http(s) listen ports configuruable. Allow http without redirecting to https as a fallback option to accomodate CentOS clients. * modules/openstack_project/manifests/git.pp: Pass load balancer variables through to the cgit manifest. * manifests/site.pp: Configure git.o.o to run the load balancer haproxy and balance across the new gitXX.o.o nodes. Change-Id: Icefc5923cff9a7c6ce62c1923ec2ea87ebc6474a
2013-08-19 17:10:13 -07:00
balancer_member_names => [
'git01.openstack.org',
'git02.openstack.org',
'git03.openstack.org',
'git04.openstack.org',
Add git05 to the git.openstack.org haproxy farm Once the git repositories on git05 are replicated from review.openstack.org and confirmed in sync, merge this to add it to the farm. Change-Id: I6bc87957ff9ba7983c48ce156ab7658a9ab8a5ad
2014-02-26 20:40:29 +00:00
'git05.openstack.org',
Add git06-08 to load balancer Change-Id: If85f2cc0bc4a700b7da06a1277a87dd392333424
2015-06-28 08:10:45 -07:00
'git06.openstack.org',
'git07.openstack.org',
'git08.openstack.org',
Load balance git requests. * install_modules.sh: Add puppetlabs-haproxy forge module. * modules/cgit/manifests/init.pp: Add haproxy config to load balance https, https and git protocol git access. Each git server will host git http on port 8080, https on port 4443 and git protocol on 29418. These endpoints will then be load balanced by a single haproxy instance listening on ports 80, 443 and 9418. The use of haproxy and having services listen on offset ports to accomodate haproxy is toggleable using the $balance_git and $behind_proxy boolean flags. Additionally, configure rsyslog for haproxy. * modules/cgit/files/rsyslog.haproxy.conf: Enable syslog over UDP on port 514. This is needed by haproxy to perform logging. Send local0 messages to /var/log/haproxy.log. * modules/cgit/templates/ssl.conf.erb: Make Apache https listen port configurable. Remove default virtualhost. * modules/cgit/templates/httpd.conf.erb: Make Apache http listen port configurable. * modules/cgit/templates/git.vhost..erb: Make Apache http(s) listen ports configuruable. Allow http without redirecting to https as a fallback option to accomodate CentOS clients. * modules/openstack_project/manifests/git.pp: Pass load balancer variables through to the cgit manifest. * manifests/site.pp: Configure git.o.o to run the load balancer haproxy and balance across the new gitXX.o.o nodes. Change-Id: Icefc5923cff9a7c6ce62c1923ec2ea87ebc6474a
2013-08-19 17:10:13 -07:00
],
balancer_member_ips => [
Switch to centos7 git01 and git02 hosts Continue the great switch to centos7 for git backends and replace git01 and 02. Since these are the last two backends to be swapped out switch the balance method back to leastconn as we will go back to having homogenous git backends and can get away with leastconn balancing. Change-Id: Ib3180587892bb46b3dc9d6a7dea28a28da85c3b3
2015-09-03 15:57:15 -07:00
'104.130.243.237',
'104.130.243.109',
Switch to centos7 git03 and git04 hosts Continue the great switch to centos7 for git backends and replace git03 and 04. Change-Id: Ic72c6b86be1017533f15bcfc554d1ec4a7f99df8
2015-09-03 11:29:57 -07:00
'67.192.247.197',
'67.192.247.180',
Switch to centos7 git05 and git06 hosts Continue the great switch to centos7 for git backends and replace git 05 and 06. Change-Id: Iee89dfb67bf2d785a04809fb4f1bb5fba7439070
2015-09-02 14:50:49 -07:00
'23.253.69.135',
'104.239.132.223',
Swap out git07 to new centos7 node Continue the great centos7 migration and replace a second git backend host with a newly built centos7 machine. Change-Id: I4e3bbb5f21a7e3b4522becf271a425702c5c77c2
2015-09-01 12:48:20 -07:00
'23.253.94.84',
Swap out git08 to new centos7 node We will put one centos7 git backend into the rotation and see how it does before switching all backends over to centos7. This gives us newer git which appears to be much better at managing its memory use when serving data. Change-Id: I69c8328a20b28fd85869964972bae2dfb89566bf
2015-08-28 15:40:41 -07:00
'104.239.146.131',
Load balance git requests. * install_modules.sh: Add puppetlabs-haproxy forge module. * modules/cgit/manifests/init.pp: Add haproxy config to load balance https, https and git protocol git access. Each git server will host git http on port 8080, https on port 4443 and git protocol on 29418. These endpoints will then be load balanced by a single haproxy instance listening on ports 80, 443 and 9418. The use of haproxy and having services listen on offset ports to accomodate haproxy is toggleable using the $balance_git and $behind_proxy boolean flags. Additionally, configure rsyslog for haproxy. * modules/cgit/files/rsyslog.haproxy.conf: Enable syslog over UDP on port 514. This is needed by haproxy to perform logging. Send local0 messages to /var/log/haproxy.log. * modules/cgit/templates/ssl.conf.erb: Make Apache https listen port configurable. Remove default virtualhost. * modules/cgit/templates/httpd.conf.erb: Make Apache http listen port configurable. * modules/cgit/templates/git.vhost..erb: Make Apache http(s) listen ports configuruable. Allow http without redirecting to https as a fallback option to accomodate CentOS clients. * modules/openstack_project/manifests/git.pp: Pass load balancer variables through to the cgit manifest. * manifests/site.pp: Configure git.o.o to run the load balancer haproxy and balance across the new gitXX.o.o nodes. Change-Id: Icefc5923cff9a7c6ce62c1923ec2ea87ebc6474a
2013-08-19 17:10:13 -07:00
],
}
}
# CentOS machines to run cgit and git daemon. Will be
# load balanced by git.openstack.org.
Run puppet apply test on centos7 for git backends Now that our git backends are all centos7 we should run the puppet apply test for that node against centos7 instead of centos6. Make it so. Change-Id: I26728b56e54d7ad2e977c62bb5d6c990e4d76e3b
2015-09-04 15:12:16 -07:00
# Node-OS: centos7
Load balance git requests. * install_modules.sh: Add puppetlabs-haproxy forge module. * modules/cgit/manifests/init.pp: Add haproxy config to load balance https, https and git protocol git access. Each git server will host git http on port 8080, https on port 4443 and git protocol on 29418. These endpoints will then be load balanced by a single haproxy instance listening on ports 80, 443 and 9418. The use of haproxy and having services listen on offset ports to accomodate haproxy is toggleable using the $balance_git and $behind_proxy boolean flags. Additionally, configure rsyslog for haproxy. * modules/cgit/files/rsyslog.haproxy.conf: Enable syslog over UDP on port 514. This is needed by haproxy to perform logging. Send local0 messages to /var/log/haproxy.log. * modules/cgit/templates/ssl.conf.erb: Make Apache https listen port configurable. Remove default virtualhost. * modules/cgit/templates/httpd.conf.erb: Make Apache http listen port configurable. * modules/cgit/templates/git.vhost..erb: Make Apache http(s) listen ports configuruable. Allow http without redirecting to https as a fallback option to accomodate CentOS clients. * modules/openstack_project/manifests/git.pp: Pass load balancer variables through to the cgit manifest. * manifests/site.pp: Configure git.o.o to run the load balancer haproxy and balance across the new gitXX.o.o nodes. Change-Id: Icefc5923cff9a7c6ce62c1923ec2ea87ebc6474a
2013-08-19 17:10:13 -07:00
node /^git\d+\.openstack\.org$/ {
Set $group at node scope for hiera lookups In order to support ansible copying split-out hiera files from the master to the nodes, we need to support group files in addition to just fqdn and common files. Change-Id: I0732cc8521bc5f6588f5de286f874a69ef45ab14
2015-03-16 12:47:42 -07:00
$group = "git-server"
Fix passing zuul public key to git backends Change-Id: I774d36ce82266e1431ff89acdc6450dbb1626004
2014-01-08 16:50:59 +08:00
include openstack_project
Move server outside git_backend class Change-Id: I00d3ce8970e0a0dacbca93fde918e406e99e1600 Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-04-30 15:22:34 +02:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [4443, 8080, 29418],
sysadmins => hiera('sysadmins', []),
}
Split git.o.o haproxy out of cgit module. * manifests/site.pp: Use distinct manifests for git.o.o and git.o.o backends. This allows for the haproxy server to not serve git content and purely be a load balancer. * modules/cgit/manifests/init.pp: Remove haproxy from cgit module. Remove stale xinetd cleanup. Select git daemon port when selecting HTTP(S) ports. * modules/openstack_project/manifests/git.pp: Make git.pp a manifest to load balance git servers with haproxy. * modules/openstack_project/manifests/git_backend.pp: New manifest to manage servers that actually serve git content. They sit behind a load balancer. * modules/openstack_project/manifests/review.pp: Stop replicating repos to git load balancer. Change-Id: I343a0d1e0a7b93874c2e2299ed974a3304957efb
2013-08-26 10:38:35 -07:00
class { 'openstack_project::git_backend':
Switch git and storyboard to project-config Change-Id: I78a5ac024bbc44504529233804288ccc81829ede
2014-09-25 13:11:54 -07:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
Load balance git requests. * install_modules.sh: Add puppetlabs-haproxy forge module. * modules/cgit/manifests/init.pp: Add haproxy config to load balance https, https and git protocol git access. Each git server will host git http on port 8080, https on port 4443 and git protocol on 29418. These endpoints will then be load balanced by a single haproxy instance listening on ports 80, 443 and 9418. The use of haproxy and having services listen on offset ports to accomodate haproxy is toggleable using the $balance_git and $behind_proxy boolean flags. Additionally, configure rsyslog for haproxy. * modules/cgit/files/rsyslog.haproxy.conf: Enable syslog over UDP on port 514. This is needed by haproxy to perform logging. Send local0 messages to /var/log/haproxy.log. * modules/cgit/templates/ssl.conf.erb: Make Apache https listen port configurable. Remove default virtualhost. * modules/cgit/templates/httpd.conf.erb: Make Apache http listen port configurable. * modules/cgit/templates/git.vhost..erb: Make Apache http(s) listen ports configuruable. Allow http without redirecting to https as a fallback option to accomodate CentOS clients. * modules/openstack_project/manifests/git.pp: Pass load balancer variables through to the cgit manifest. * manifests/site.pp: Configure git.o.o to run the load balancer haproxy and balance across the new gitXX.o.o nodes. Change-Id: Icefc5923cff9a7c6ce62c1923ec2ea87ebc6474a
2013-08-19 17:10:13 -07:00
vhost_name => 'git.openstack.org',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from git_backend. Change-Id: I7f5d46b6db3c034922efc4607da42584940fffb3
2015-10-16 14:22:11 -07:00
git_gerrit_ssh_key => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
ssl_cert_file_contents => hiera('git_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('git_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
Load balance git requests. * install_modules.sh: Add puppetlabs-haproxy forge module. * modules/cgit/manifests/init.pp: Add haproxy config to load balance https, https and git protocol git access. Each git server will host git http on port 8080, https on port 4443 and git protocol on 29418. These endpoints will then be load balanced by a single haproxy instance listening on ports 80, 443 and 9418. The use of haproxy and having services listen on offset ports to accomodate haproxy is toggleable using the $balance_git and $behind_proxy boolean flags. Additionally, configure rsyslog for haproxy. * modules/cgit/files/rsyslog.haproxy.conf: Enable syslog over UDP on port 514. This is needed by haproxy to perform logging. Send local0 messages to /var/log/haproxy.log. * modules/cgit/templates/ssl.conf.erb: Make Apache https listen port configurable. Remove default virtualhost. * modules/cgit/templates/httpd.conf.erb: Make Apache http listen port configurable. * modules/cgit/templates/git.vhost..erb: Make Apache http(s) listen ports configuruable. Allow http without redirecting to https as a fallback option to accomodate CentOS clients. * modules/openstack_project/manifests/git.pp: Pass load balancer variables through to the cgit manifest. * manifests/site.pp: Configure git.o.o to run the load balancer haproxy and balance across the new gitXX.o.o nodes. Change-Id: Icefc5923cff9a7c6ce62c1923ec2ea87ebc6474a
2013-08-19 17:10:13 -07:00
behind_proxy => true,
Parameterize setting the selinux mode By parameterizing the selinux mode we can set the mode and pass the mode to other classes so they can make decisions on whether or not to run selinux commands as part of their configuration. Depends-On: I21add092d9d09077f2b23760a384f5a5cb91d86a Change-Id: I86a5bb006b6ab9d64f7fbd894c967428cfaed8f8
2015-09-10 13:32:29 -05:00
selinux_mode => 'enforcing'
Add cgit web service and git server Define git.openstack.org server and deploy cgit web service with Apache on CentOS. Change-Id: Id3c7c870e25e4202915bc081454896895084f9af
2013-07-11 11:21:02 -07:00
}
}
Add mirror_update.openstack.org This is a machine that will drive centralized mirror updates for mirrors that are in AFS. Change-Id: I33eed90c21a2e57a26349be83ee69e968b18d2f8 Depends-On: I56bb3ce2237be1179724f7a2bdcf9d5b04bdecd2 Depends-On: I704c8bf395d83adea0f9a0db6fd3d3814ad7660a
2016-01-20 15:11:24 -08:00
# A machine to drive AFS mirror updates.
# Node-OS: trusty
Support xenial on mirror-update Change-Id: Iabab7568041e0aa5b856595557e8aa75de5c43f5
2017-12-11 09:29:28 -08:00
# Node-OS: xenial
node /^mirror-update\d*\.openstack\.org$/ {
Create afs-admin hiera group For mirror-update and release.slave, both of which need the afsadmin keytab. Change-Id: I1aade3d383ccdbe244ae523838a93bf24410495e
2016-02-04 08:58:30 -08:00
$group = "afsadmin"
Add mirror_update.openstack.org This is a machine that will drive centralized mirror updates for mirrors that are in AFS. Change-Id: I33eed90c21a2e57a26349be83ee69e968b18d2f8 Depends-On: I56bb3ce2237be1179724f7a2bdcf9d5b04bdecd2 Depends-On: I704c8bf395d83adea0f9a0db6fd3d3814ad7660a
2016-01-20 15:11:24 -08:00
class { 'openstack_project::mirror_update':
bandersnatch_keytab => hiera('bandersnatch_keytab'),
admin_keytab => hiera('afsadmin_keytab'),
Add Fedora mirror to AFS This has been on my list for some time, since we run fedora jobs in the gate, we should also mirror this infra too. Change-Id: I523bf263b5f9455ee51a712fc97cde3f8daeba80 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-12-28 15:54:16 -05:00
fedora_keytab => hiera('fedora_keytab'),
Mirror openSUSE Leap 42.2 repositories Change-Id: Id3fad9ab92ac913f0f31a71873c8f85e14828796
2017-02-22 20:43:49 +01:00
opensuse_keytab => hiera('opensuse_keytab'),
Add AFS apt mirror The reprepro class in this is in-tree rather than in its own module purely for ease of getting started. It's also highly hard-coded rather than flexible. This change will need a mirror.apt volume and service/reprepro principal and keytab to be created before it lands. Allow for pool trimming after a 2 hour delay. Each devstack run of apt-get update should be able to be assumed to be valid for the length of the devstack. For that reason, only delete files that are unreferenced during the subsequent mirror run, ensuring at least a 2 hour delay between becoming unreferenced and going away. Local testing indicates that a trusty mirror is 86G. Change-Id: I84f6a0391f80e6bf567c4bfc18a41bd270fe8c01
2016-01-26 10:19:53 -05:00
reprepro_keytab => hiera('reprepro_keytab'),
Added Gem Mirror to Infra This patch adds a static, read-only gem mirror to openstack-infra's regional mirrors under the /gem path. Change-Id: I2f67fe01d32c4472ff56862b9dc25b9915a695c0 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-12-04 12:09:51 -05:00
gem_keytab => hiera('gem_keytab'),
Initial commit for CentOS AFS mirror This is the first step to getting an AFS mirror for centos going. We still need to add RPM validation and enabled automatic vos release. However, this will atleast enabled us to do the initial import of the RPMs into AFS which will take a few days to mirror properly. Change-Id: Ic3b0ca5f5c9321b7e5048f4000ca58266d117083 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-03-07 13:59:56 -05:00
centos_keytab => hiera('centos_keytab'),
Add EPEL mirror Like the centos mirror, we'll be using rsync for the EPEL mirror. This will be used by centos-7 nodes. Change-Id: Ifb9f539b20558ef4464616d56259cf1355eff901 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-12 11:01:43 -04:00
epel_keytab => hiera('epel_keytab'),
Add mirror_update.openstack.org This is a machine that will drive centralized mirror updates for mirrors that are in AFS. Change-Id: I33eed90c21a2e57a26349be83ee69e968b18d2f8 Depends-On: I56bb3ce2237be1179724f7a2bdcf9d5b04bdecd2 Depends-On: I704c8bf395d83adea0f9a0db6fd3d3814ad7660a
2016-01-20 15:11:24 -08:00
sysadmins => hiera('sysadmins', []),
}
}
Add mirror.<region>.openstack.org This patch creates a new manifest for unified infra mirrors, which will act as read-only AFS nodes that host our mirror data. These mirrors will, once validated and provisioned, replace the existing pypi mirrors in infra under a new, more generic, hostname. This patch is only intended to create the AFS read-only slave. Apache hosting will be added in subsequent patches. Change-Id: I9a2bf596cf47bffad5d6a5fd0da3c571fa266013
2016-01-20 15:11:24 -08:00
# Machines in each region to serve AFS mirrors.
Add mirror01.iad.rax.o.o This is a new Xenial-based mirror in the RAX IAD region Add munging to have a serveralias for numerically named servers Change-Id: I5690e231a53a45e33bd925cd1a4a87ffa025af04
2017-08-16 10:11:19 +10:00
# Node-OS: xenial
node /^mirror\d*\..*\.openstack\.org$/ {
Add mirror.<region>.openstack.org This patch creates a new manifest for unified infra mirrors, which will act as read-only AFS nodes that host our mirror data. These mirrors will, once validated and provisioned, replace the existing pypi mirrors in infra under a new, more generic, hostname. This patch is only intended to create the AFS read-only slave. Apache hosting will be added in subsequent patches. Change-Id: I9a2bf596cf47bffad5d6a5fd0da3c571fa266013
2016-01-20 15:11:24 -08:00
$group = "mirror"
class { 'openstack_project::server':
Add registry-1.docker.io to reverse proxy cache To use the mirror, you'd create a /etc/docker/daemon.json file: { "registry-mirrors": [ "http://mirror.dfw.rax.openstack.org:8081/registry-1.docker/" ] } Obviously using your regional mirror. We also use port 8081 because we need to ignore Expires headers, and don't want to affect the rdo proxy. Change-Id: Iba9a7580a11cdecb6a43a4fef703be2ca62d0539 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-04-05 13:58:58 -04:00
iptables_public_tcp_ports => [22, 80, 8080, 8081],
Add mirror.<region>.openstack.org This patch creates a new manifest for unified infra mirrors, which will act as read-only AFS nodes that host our mirror data. These mirrors will, once validated and provisioned, replace the existing pypi mirrors in infra under a new, more generic, hostname. This patch is only intended to create the AFS read-only slave. Apache hosting will be added in subsequent patches. Change-Id: I9a2bf596cf47bffad5d6a5fd0da3c571fa266013
2016-01-20 15:11:24 -08:00
sysadmins => hiera('sysadmins', []),
afs => true,
Set AFS cache size to 50G on mirrors Change-Id: I2cbb453156aef28722b3c8a51bf221d8da8b7e23
2016-01-23 19:45:59 -08:00
afs_cache_size => 50000000, # 50GB
Add mirror.<region>.openstack.org This patch creates a new manifest for unified infra mirrors, which will act as read-only AFS nodes that host our mirror data. These mirrors will, once validated and provisioned, replace the existing pypi mirrors in infra under a new, more generic, hostname. This patch is only intended to create the AFS read-only slave. Apache hosting will be added in subsequent patches. Change-Id: I9a2bf596cf47bffad5d6a5fd0da3c571fa266013
2016-01-20 15:11:24 -08:00
}
class { 'openstack_project::mirror':
vhost_name => $::fqdn,
require => Class['Openstack_project::Server'],
}
}
Add files01.openstack.org Change-Id: Ia2f5e365621e0bef65863b7b15daebb207e42493
2016-09-15 09:35:03 -07:00
# Serve static AFS content for docs and other sites.
# Node-OS: trusty
Support xenial on files Change-Id: Ia934027412d65364d4649e5f58032d4df69957ad
2017-12-11 09:33:43 -08:00
# Node-OS: xenial
node /^files\d*\.openstack\.org$/ {
Add HTTPS to developer and docs.openstack.org Add X.509 certificates, certificate chains and private keys for https://developer.openstack.org/ and https://docs.openstack.org/ separately using SNI (as the list grows we can consider condensing these into a single cert using ServerAltNames later). Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec
2017-01-24 22:54:32 +00:00
$group = "files"
Add files01.openstack.org Change-Id: Ia2f5e365621e0bef65863b7b15daebb207e42493
2016-09-15 09:35:03 -07:00
class { 'openstack_project::server':
Open port 443 on files01.openstack.org Also, remove port 22 from the list of public tcp ports that need opening -- that's implied and not necessary. Change-Id: Ief17a2eab3330b2c4b85bc252b8af55cdd99980f
2017-01-26 11:48:22 -08:00
iptables_public_tcp_ports => [80, 443],
Add files01.openstack.org Change-Id: Ia2f5e365621e0bef65863b7b15daebb207e42493
2016-09-15 09:35:03 -07:00
sysadmins => hiera('sysadmins', []),
afs => true,
afs_cache_size => 10000000, # 10GB
}
class { 'openstack_project::files':
Add HTTPS to developer and docs.openstack.org Add X.509 certificates, certificate chains and private keys for https://developer.openstack.org/ and https://docs.openstack.org/ separately using SNI (as the list grows we can consider condensing these into a single cert using ServerAltNames later). Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec
2017-01-24 22:54:32 +00:00
vhost_name => 'files.openstack.org',
Correct hiera keys for docs/developer certs Use the correct hiera key names for the HTTPS cert/chain/key file contents used by the developer.openstack.org and docs.openstack.org sites. Change-Id: I84f790bf132c81678836e84b2f89bdb01ed71f73
2017-01-26 21:00:55 +00:00
developer_cert_file_contents => hiera('developer_cert_file_contents'),
developer_key_file_contents => hiera('developer_key_file_contents'),
developer_chain_file_contents => hiera('developer_chain_file_contents'),
docs_cert_file_contents => hiera('docs_cert_file_contents'),
docs_key_file_contents => hiera('docs_key_file_contents'),
docs_chain_file_contents => hiera('docs_chain_file_contents'),
Add HTTPS to developer and docs.openstack.org Add X.509 certificates, certificate chains and private keys for https://developer.openstack.org/ and https://docs.openstack.org/ separately using SNI (as the list grows we can consider condensing these into a single cert using ServerAltNames later). Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec
2017-01-24 22:54:32 +00:00
require => Class['Openstack_project::Server'],
Add files01.openstack.org Change-Id: Ia2f5e365621e0bef65863b7b15daebb207e42493
2016-09-15 09:35:03 -07:00
}
}
Add a refstack.openstack.org server This implements the refstack Puppet module on a server named refstack.openstack.org, where hosting of the refstack repo data and site content will move in the near future. Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org> Co-Authored-By: Paul Van Eck <pvaneck@us.ibm.com> Change-Id: I628e190851fa6d266f612372ab03b7d6c65764ea Depends-On: I470d7f5ebeee9949f6dd58d48a580d94866df0fd
2015-07-06 19:39:00 +00:00
# Node-OS: trusty
Support xenial on refstack Change-Id: I88c4160b12c59664bb486dd5cf2dc49d299392f9
2017-12-11 09:34:11 -08:00
# Node-OS: xenial
node /^refstack\d*\.openstack\.org$/ {
Add a refstack.openstack.org server This implements the refstack Puppet module on a server named refstack.openstack.org, where hosting of the refstack repo data and site content will move in the near future. Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org> Co-Authored-By: Paul Van Eck <pvaneck@us.ibm.com> Change-Id: I628e190851fa6d266f612372ab03b7d6c65764ea Depends-On: I470d7f5ebeee9949f6dd58d48a580d94866df0fd
2015-07-06 19:39:00 +00:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'refstack':
mysql_host => hiera('refstack_mysql_host', 'localhost'),
mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
mysql_user => hiera('refstack_mysql_user', 'refstack'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from refstack. Change-Id: I9b875401985b89e3eb27be7812b720b40b146389
2015-10-16 14:22:54 -07:00
mysql_user_password => hiera('refstack_mysql_password'),
ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
ssl_key_content => hiera('refstack_ssl_key_file_contents'),
ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
Add a refstack.openstack.org server This implements the refstack Puppet module on a server named refstack.openstack.org, where hosting of the refstack repo data and site content will move in the near future. Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org> Co-Authored-By: Paul Van Eck <pvaneck@us.ibm.com> Change-Id: I628e190851fa6d266f612372ab03b7d6c65764ea Depends-On: I470d7f5ebeee9949f6dd58d48a580d94866df0fd
2015-07-06 19:39:00 +00:00
protocol => 'https',
}
Add database backups for refstack.openstack.org Change-Id: If9561b28c0fdff7b83ca7c00ea7093df3367815d
2015-12-07 22:44:39 +00:00
mysql_backup::backup_remote { 'refstack':
database_host => hiera('refstack_mysql_host', 'localhost'),
database_user => hiera('refstack_mysql_user', 'refstack'),
database_password => hiera('refstack_mysql_password'),
require => Class['::refstack'],
}
Add a refstack.openstack.org server This implements the refstack Puppet module on a server named refstack.openstack.org, where hosting of the refstack repo data and site content will move in the near future. Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org> Co-Authored-By: Paul Van Eck <pvaneck@us.ibm.com> Change-Id: I628e190851fa6d266f612372ab03b7d6c65764ea Depends-On: I470d7f5ebeee9949f6dd58d48a580d94866df0fd
2015-07-06 19:39:00 +00:00
}
Add Storyboard puppet module There are two major parts being installed with this module: 1. storyboard-api - REST API service served with apache mod_wsgi module 2. storyboard-webclient - static html/css/js files. This project is built and published to tarballs.o.o, from where it'll be installed with this puppet module This module requires three configs from Hiera: * storyboard_db_host * storyboard_db_password * storyboard_db_user Installed projects: * http://git.openstack.org/cgit/openstack-infra/storyboard/ * http://git.openstack.org/cgit/openstack-infra/storyboard-webclient/ Things to be added in later commits: * Documentation for ci.openstack.org * Configure logging (once supported by storyboard) * SSL Change-Id: If3da06f8d20a6282036f1f9f063c25a6d0db60c6
2014-01-06 06:33:45 +04:00
# A machine to run Storyboard
Add a storyboard-dev server This will help the storyboard devs dev things. This machine will run trusty and will help us prep the storyboard.o.o upgrade to trusty. After this machine is happily running, we'll do the real upgrade. Also add manifest testing on trusty for storyboard.o.o in preparation to upgrade it. Several new hiera keys are required for this. Hopefully we can use snakeoil ssl certificates. Change-Id: I0b3080e810da24546ea9b87b2d45f7d8bdfadf3d
2016-05-03 08:37:42 -07:00
# Node-OS: trusty
Support xenial on storyboard and storyboard-dev Change-Id: Ifd217373a6f082726ca333f678d4f4a9f9d9aeb3
2017-12-11 09:34:41 -08:00
# Node-OS: xenial
node /^storyboard\d*\.openstack\.org$/ {
Add Storyboard puppet module There are two major parts being installed with this module: 1. storyboard-api - REST API service served with apache mod_wsgi module 2. storyboard-webclient - static html/css/js files. This project is built and published to tarballs.o.o, from where it'll be installed with this puppet module This module requires three configs from Hiera: * storyboard_db_host * storyboard_db_password * storyboard_db_user Installed projects: * http://git.openstack.org/cgit/openstack-infra/storyboard/ * http://git.openstack.org/cgit/openstack-infra/storyboard-webclient/ Things to be added in later commits: * Documentation for ci.openstack.org * Configure logging (once supported by storyboard) * SSL Change-Id: If3da06f8d20a6282036f1f9f063c25a6d0db60c6
2014-01-06 06:33:45 +04:00
class { 'openstack_project::storyboard':
Switch git and storyboard to project-config Change-Id: I78a5ac024bbc44504529233804288ccc81829ede
2014-09-25 13:11:54 -07:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
Make the fallback sysadmins value the same The fallback value for sysadmins was was admins in some places and admin in others. However, re: jeblair: The fallback value for sysadmins should be "[]", which is actually the default value. Configuring the mail system to send root's mail to an account called 'admin' which may or may not exist and if it does exist may send mail to root is not a good idea. The default of [] will deliver root's mail normally. Change-Id: Iaeca86ef135b6a3210541618d48caf4058dc7966
2014-06-14 08:09:09 -07:00
sysadmins => hiera('sysadmins', []),
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from storyboard. Change-Id: I4c774bcbfd53b5b568bb2b0289483b3977e4a260
2015-10-16 14:24:54 -07:00
mysql_password => hiera('storyboard_db_password'),
Update storyboard version to include rabbitmq This updates the version of storyboard that is used by infra to include rabbitmq. Change-Id: I8cbfb17715a75cf63dd60ad4bae24bc40b3a6944
2014-08-13 14:48:11 -07:00
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from storyboard. Change-Id: I4c774bcbfd53b5b568bb2b0289483b3977e4a260
2015-10-16 14:24:54 -07:00
rabbitmq_password => hiera('storyboard_rabbit_password'),
Pass storyboard cert/key paths via global manifest Since we want to use different certificate and key file paths in openstack_project::storyboard::dev we need to be able to default them through openstack_project::storyboard, so set them from the global site manifest instead of hard-coding them in the class. Change-Id: Ifc92d78f081fc69d804c29033e96e1c94462213b
2016-05-18 15:28:14 +00:00
ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from storyboard. Change-Id: I4c774bcbfd53b5b568bb2b0289483b3977e4a260
2015-10-16 14:24:54 -07:00
ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
Pass storyboard cert/key paths via global manifest Since we want to use different certificate and key file paths in openstack_project::storyboard::dev we need to be able to default them through openstack_project::storyboard, so set them from the global site manifest instead of hard-coding them in the class. Change-Id: Ifc92d78f081fc69d804c29033e96e1c94462213b
2016-05-18 15:28:14 +00:00
ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from storyboard. Change-Id: I4c774bcbfd53b5b568bb2b0289483b3977e4a260
2015-10-16 14:24:54 -07:00
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
Hostname and CORS domains are now configurable. Moved $hostname and $cors_allowed_origins into the top level module, so that they may be set on a per-host basis. Change-Id: I9859c903d0075493d230e433d68e0471f019140a
2015-02-23 13:08:51 -08:00
hostname => $::fqdn,
Added Valid OAuth client configuration to storyboard manifest. StoryBoard now only permits a finite list of authorized oauth clients, which are based on the domain host. This adds the necessary configuration elements to the OpenStack StoryBoard manifest. Change-Id: Ia7d34e9b80399ffa9e4229d6cc7035061c41dffc Depends-on: I29495a0b640c3ca097cca8c17349df5cc42388de
2015-02-23 12:27:02 -08:00
valid_oauth_clients => [
$::fqdn,
Remove docs-draft vhost from static.o.o All draft documentation jobs now just publish content into an "html" subtree of their job logs on logs.openstack.org and have been doing so since longer than our configured content expiration period, so the separate vhost for docs-draft.openstack.org is no longer required and can be removed. While here, change up the CORS configuration for storyboard.openstack.org and storyboard-dev.openstack.org to respect draft storyboard-webclient copies on logs.openstack.org rather than simply removing these stanzas. Once this change merges and configuration gets applied to static.openstack.org, the allocated resources for the old docs-draft vhost (logical volume, DNS entry) can be safely removed. Change-Id: Ib44df24100192f7903eb60c6fc93feeea0894b90
2017-12-07 20:57:25 +00:00
'logs.openstack.org',
Added Valid OAuth client configuration to storyboard manifest. StoryBoard now only permits a finite list of authorized oauth clients, which are based on the domain host. This adds the necessary configuration elements to the OpenStack StoryBoard manifest. Change-Id: Ia7d34e9b80399ffa9e4229d6cc7035061c41dffc Depends-on: I29495a0b640c3ca097cca8c17349df5cc42388de
2015-02-23 12:27:02 -08:00
],
Hostname and CORS domains are now configurable. Moved $hostname and $cors_allowed_origins into the top level module, so that they may be set on a per-host basis. Change-Id: I9859c903d0075493d230e433d68e0471f019140a
2015-02-23 13:08:51 -08:00
cors_allowed_origins => [
"https://${::fqdn}",
Remove docs-draft vhost from static.o.o All draft documentation jobs now just publish content into an "html" subtree of their job logs on logs.openstack.org and have been doing so since longer than our configured content expiration period, so the separate vhost for docs-draft.openstack.org is no longer required and can be removed. While here, change up the CORS configuration for storyboard.openstack.org and storyboard-dev.openstack.org to respect draft storyboard-webclient copies on logs.openstack.org rather than simply removing these stanzas. Once this change merges and configuration gets applied to static.openstack.org, the allocated resources for the old docs-draft vhost (logical volume, DNS entry) can be safely removed. Change-Id: Ib44df24100192f7903eb60c6fc93feeea0894b90
2017-12-07 20:57:25 +00:00
'http://logs.openstack.org',
Hostname and CORS domains are now configurable. Moved $hostname and $cors_allowed_origins into the top level module, so that they may be set on a per-host basis. Change-Id: I9859c903d0075493d230e433d68e0471f019140a
2015-02-23 13:08:51 -08:00
],
Add sender email for storyboard.openstack.org This patch updates the sender email from the default no-reply@storyboard.openstack.org to storyboard@storyboard.openstack.org , as the former user is not recognised. By doing it here, we avoid changing the global defaults, as per the comments in this patch: https://review.openstack.org/#/c/293080/ Change-Id: Ic4d12ab42687aaf4d0157aa5155ad7d81b94bacb
2016-03-16 10:48:23 +00:00
sender_email_address => 'storyboard@storyboard.openstack.org',
Add Storyboard puppet module There are two major parts being installed with this module: 1. storyboard-api - REST API service served with apache mod_wsgi module 2. storyboard-webclient - static html/css/js files. This project is built and published to tarballs.o.o, from where it'll be installed with this puppet module This module requires three configs from Hiera: * storyboard_db_host * storyboard_db_password * storyboard_db_user Installed projects: * http://git.openstack.org/cgit/openstack-infra/storyboard/ * http://git.openstack.org/cgit/openstack-infra/storyboard-webclient/ Things to be added in later commits: * Documentation for ci.openstack.org * Configure logging (once supported by storyboard) * SSL Change-Id: If3da06f8d20a6282036f1f9f063c25a6d0db60c6
2014-01-06 06:33:45 +04:00
}
}
Add a storyboard-dev server This will help the storyboard devs dev things. This machine will run trusty and will help us prep the storyboard.o.o upgrade to trusty. After this machine is happily running, we'll do the real upgrade. Also add manifest testing on trusty for storyboard.o.o in preparation to upgrade it. Several new hiera keys are required for this. Hopefully we can use snakeoil ssl certificates. Change-Id: I0b3080e810da24546ea9b87b2d45f7d8bdfadf3d
2016-05-03 08:37:42 -07:00
# A machine to run Storyboard devel
# Node-OS: trusty
Support xenial on storyboard and storyboard-dev Change-Id: Ifd217373a6f082726ca333f678d4f4a9f9d9aeb3
2017-12-11 09:34:41 -08:00
# Node-OS: xenial
node /^storyboard-dev\d*\.openstack\.org$/ {
Realize SotK and Zara on the storyboard-dev server This patch realizes SotK's and Zara's accounts on the storyboard-dev server. It accomplishes this by adding an openstack_project::storyboard::dev subclass as a wrapper to differentiate development server parameters where needed. Co-Authored By: Spencer Krum <nibz@spencerkrum.com> Change-Id: I477763846f03d807a9627cd3afe5caee09b1100b
2016-05-12 14:09:49 -04:00
class { 'openstack_project::storyboard::dev':
Add a storyboard-dev server This will help the storyboard devs dev things. This machine will run trusty and will help us prep the storyboard.o.o upgrade to trusty. After this machine is happily running, we'll do the real upgrade. Also add manifest testing on trusty for storyboard.o.o in preparation to upgrade it. Several new hiera keys are required for this. Hopefully we can use snakeoil ssl certificates. Change-Id: I0b3080e810da24546ea9b87b2d45f7d8bdfadf3d
2016-05-03 08:37:42 -07:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'),
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
rabbitmq_password => hiera('storyboard_rabbit_password'),
hostname => $::fqdn,
valid_oauth_clients => [
$::fqdn,
Remove docs-draft vhost from static.o.o All draft documentation jobs now just publish content into an "html" subtree of their job logs on logs.openstack.org and have been doing so since longer than our configured content expiration period, so the separate vhost for docs-draft.openstack.org is no longer required and can be removed. While here, change up the CORS configuration for storyboard.openstack.org and storyboard-dev.openstack.org to respect draft storyboard-webclient copies on logs.openstack.org rather than simply removing these stanzas. Once this change merges and configuration gets applied to static.openstack.org, the allocated resources for the old docs-draft vhost (logical volume, DNS entry) can be safely removed. Change-Id: Ib44df24100192f7903eb60c6fc93feeea0894b90
2017-12-07 20:57:25 +00:00
'logs.openstack.org',
Add a storyboard-dev server This will help the storyboard devs dev things. This machine will run trusty and will help us prep the storyboard.o.o upgrade to trusty. After this machine is happily running, we'll do the real upgrade. Also add manifest testing on trusty for storyboard.o.o in preparation to upgrade it. Several new hiera keys are required for this. Hopefully we can use snakeoil ssl certificates. Change-Id: I0b3080e810da24546ea9b87b2d45f7d8bdfadf3d
2016-05-03 08:37:42 -07:00
],
cors_allowed_origins => [
"https://${::fqdn}",
Remove docs-draft vhost from static.o.o All draft documentation jobs now just publish content into an "html" subtree of their job logs on logs.openstack.org and have been doing so since longer than our configured content expiration period, so the separate vhost for docs-draft.openstack.org is no longer required and can be removed. While here, change up the CORS configuration for storyboard.openstack.org and storyboard-dev.openstack.org to respect draft storyboard-webclient copies on logs.openstack.org rather than simply removing these stanzas. Once this change merges and configuration gets applied to static.openstack.org, the allocated resources for the old docs-draft vhost (logical volume, DNS entry) can be safely removed. Change-Id: Ib44df24100192f7903eb60c6fc93feeea0894b90
2017-12-07 20:57:25 +00:00
'http://logs.openstack.org',
Add a storyboard-dev server This will help the storyboard devs dev things. This machine will run trusty and will help us prep the storyboard.o.o upgrade to trusty. After this machine is happily running, we'll do the real upgrade. Also add manifest testing on trusty for storyboard.o.o in preparation to upgrade it. Several new hiera keys are required for this. Hopefully we can use snakeoil ssl certificates. Change-Id: I0b3080e810da24546ea9b87b2d45f7d8bdfadf3d
2016-05-03 08:37:42 -07:00
],
sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
}
Realize SotK and Zara on the storyboard-dev server This patch realizes SotK's and Zara's accounts on the storyboard-dev server. It accomplishes this by adding an openstack_project::storyboard::dev subclass as a wrapper to differentiate development server parameters where needed. Co-Authored By: Spencer Krum <nibz@spencerkrum.com> Change-Id: I477763846f03d807a9627cd3afe5caee09b1100b
2016-05-12 14:09:49 -04:00
Add a storyboard-dev server This will help the storyboard devs dev things. This machine will run trusty and will help us prep the storyboard.o.o upgrade to trusty. After this machine is happily running, we'll do the real upgrade. Also add manifest testing on trusty for storyboard.o.o in preparation to upgrade it. Several new hiera keys are required for this. Hopefully we can use snakeoil ssl certificates. Change-Id: I0b3080e810da24546ea9b87b2d45f7d8bdfadf3d
2016-05-03 08:37:42 -07:00
}
Add node definition for static.openstack.org. Add node definition for static.openstack.org and create first simple implementation of what the static.openstack.org host would look like. Change-Id: I04952154246c4985e7ff44909e892918a1336fba Reviewed-on: https://review.openstack.org/11193 Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-08-10 15:38:08 -07:00
# A machine to serve static content.
Clean up puppet-apply testing on precise We've upgraded from precise to trusty on series of hosts, but forgot to update site.pp. This patch moves zuul, static, paste and proposal.slave to run tests on ubuntu-trusty. Change-Id: Iba041533ea86c3b01f981069b53fc7a1781521b1 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-07-28 11:27:18 -04:00
# Node-OS: trusty
Support xenial on static Change-Id: I0dc56c1f82f4925010cd1b71f1819beb5dadd689
2017-12-11 09:36:36 -08:00
# Node-OS: xenial
node /^static\d*\.openstack\.org$/ {
Break out openstack_project::server from static.o.o Change-Id: I2c3c5d0f3075ca1c289dd00d0e529957d2e3dfa7 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-06-24 17:57:10 +00:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-06 10:32:48 -07:00
class { 'openstack_project::static':
Roll releases site into common cert Now that the static.o.o SSL cert has been renewed, additional CNs have been included in the SAN set for it. As a result, we can simplify configuration for the newer sites added since the prior renewal. Change-Id: I77f49cea53b0a06ce4399d46b00806a2cbd7e509
2017-06-30 20:30:54 +00:00
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
swift_user => 'infra-files-ro',
swift_key => hiera('infra_files_ro_password'),
swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
swift_region_name => 'DFW',
swift_default_container => 'infra-files',
ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
Add status.openstack.org vm Let's branch status.o.o off from static.o.o into its own machine. For now, keep the extra /static/ in paths to ease the transition (so we can use the same files and templates). We can remove them later if desired. Change-Id: If38197db79b9f6adfcdcf40f10d4797c7df1c620
2013-12-11 12:01:13 -08:00
}
}
Add zk01-03 servers to cluster zookeeper As part of the migration to ubuntu-xenial, create a new zookeeper cluster which allows us to migrate out live data from nodepool.o.o. This commit doesn't open the ports on nodepool.o.o just yet, but should allow our 3 zookeeper servers to obtain quorum. Change-Id: Iaca6015bb063cca452d0dc6c390dc6dcf55148f9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-11-30 12:51:24 -05:00
# Node-OS: xenial
node /^zk\d+\.openstack\.org$/ {
$zk_receivers = [
'nb03.openstack.org',
'nb04.openstack.org',
'nl01.openstack.org',
'nl02.openstack.org',
Update firewalls, zookeeper and cacti for zuul01 Now that the zuul01.openstack.org instance exists in DNS, update firewall rules, zookeeper and cacti configuration to include it (replacing the old zuul.openstack.org entries where relevant). Change-Id: I6bf605cd5120e342d597d9f862902bdc04abc7e7
2018-01-15 20:33:14 +00:00
'zuul01.openstack.org',
Add zk01-03 servers to cluster zookeeper As part of the migration to ubuntu-xenial, create a new zookeeper cluster which allows us to migrate out live data from nodepool.o.o. This commit doesn't open the ports on nodepool.o.o just yet, but should allow our 3 zookeeper servers to obtain quorum. Change-Id: Iaca6015bb063cca452d0dc6c390dc6dcf55148f9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-11-30 12:51:24 -05:00
'zuulv3.openstack.org',
]
$zk_cluster_members = [
Revert "Remove zk_cluster_members from iptables" All 3 servers are now online and added to DNS. This reverts commit e471881166f11a781f5cd85ed1af601e0cf5ab5c. Change-Id: Iccfe75771c3cef84f99201ae4abb31a85df28708 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-04 21:33:17 -05:00
'zk01.openstack.org',
'zk02.openstack.org',
'zk03.openstack.org',
Add zk01-03 servers to cluster zookeeper As part of the migration to ubuntu-xenial, create a new zookeeper cluster which allows us to migrate out live data from nodepool.o.o. This commit doesn't open the ports on nodepool.o.o just yet, but should allow our 3 zookeeper servers to obtain quorum. Change-Id: Iaca6015bb063cca452d0dc6c390dc6dcf55148f9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-11-30 12:51:24 -05:00
]
$zk_receiver_rule = regsubst($zk_receivers,
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 2181 -s \1 -j ACCEPT')
$zk_election_rule = regsubst($zk_cluster_members,
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 2888 -s \1 -j ACCEPT')
$zk_leader_rule = regsubst($zk_cluster_members,
Fix typo in zookeeper election firewall port It is tcp/3888 not tcp/3889. Change-Id: I58c6b1e7079569fa2f468aa03e1712b5a76ac016 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-05 13:47:47 -05:00
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 3888 -s \1 -j ACCEPT')
Add zk01-03 servers to cluster zookeeper As part of the migration to ubuntu-xenial, create a new zookeeper cluster which allows us to migrate out live data from nodepool.o.o. This commit doesn't open the ports on nodepool.o.o just yet, but should allow our 3 zookeeper servers to obtain quorum. Change-Id: Iaca6015bb063cca452d0dc6c390dc6dcf55148f9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-11-30 12:51:24 -05:00
$iptables_rule = flatten([$zk_receiver_rule, $zk_election_rule, $zk_leader_rule])
class { 'openstack_project::server':
iptables_rules6 => $iptables_rule,
iptables_rules4 => $iptables_rule,
sysadmins => hiera('sysadmins', []),
}
class { '::zookeeper':
Set myid for zookeeper to numeric Use regex to find out the number of the hostname so we can use that for myid. The value must be numeric. Change-Id: Ib9d700c06ef858242f1e3c850dbfe3f2d3cd7c8a Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-04 23:04:32 -05:00
# ID needs to be numeric, so we use regex to extra numbers from fqdn.
id => regsubst($::fqdn, '^zk(\d+)\.openstack\.org$', '\1'),
Add zk01-03 servers to cluster zookeeper As part of the migration to ubuntu-xenial, create a new zookeeper cluster which allows us to migrate out live data from nodepool.o.o. This commit doesn't open the ports on nodepool.o.o just yet, but should allow our 3 zookeeper servers to obtain quorum. Change-Id: Iaca6015bb063cca452d0dc6c390dc6dcf55148f9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-11-30 12:51:24 -05:00
# The frequency in hours to look for and purge old snapshots,
# defaults to 0 (disabled). The number of retained snapshots can
# be separately controlled through snap_retain_count and
# defaults to the minimum value of 3. This will quickly fill the
# disk in production if not enabled. Works on ZK >=3.4.
purge_interval => 6,
servers => $zk_cluster_members,
}
}
Remove status.o.o vhost from static.o.o Change-Id: I8e7ee035b10895043622041bf8bdfef84162ffd5
2013-12-19 14:57:02 -08:00
# A machine to serve various project status updates.
Migrate status.o.o to ubuntu trusty This is part of our effort to migrate our servers from ubuntu precise to ubuntu trusty. Change-Id: Ib7e3dddb2cd04f985af4dc895adcc8fca440c7f2 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-24 16:30:22 -04:00
# Node-OS: trusty
status.o.o xenial upgrade Convert puppet for status01.o.o which will be a xenial host. status.o.o will be redirected. Change-Id: Iec638a06e7578d6d8ad2bdc5daf2ef5abba6607f
2017-12-11 14:27:36 +11:00
# Node-OS: xenial
node /^status\d*\.openstack\.org$/ {
$group = 'status'
Moved the server class out of the status class Change-Id: Ia32843de94a913f2c227fe30a4f25425dd08e417 Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-27 14:55:10 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Add status.openstack.org vm Let's branch status.o.o off from static.o.o into its own machine. For now, keep the extra /static/ in paths to ease the transition (so we can use the same files and templates). We can remove them later if desired. Change-Id: If38197db79b9f6adfcdcf40f10d4797c7df1c620
2013-12-11 12:01:13 -08:00
class { 'openstack_project::status':
Move elastic-recheck bot to status.o.o Also, normalize some parameters to the status manifest to make it more readable (since they follow the same pattern). And make the ssh config for elastic-recheck bot match reviewday. Change-Id: I2417f121e7b3685aab9540504cdd4c6db1754e67
2013-12-31 11:11:55 -08:00
gerrit_host => 'review.openstack.org',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from status. Change-Id: I676b3e74551ea11e1887ab4a03e12cb3ac4b2814
2015-10-16 14:26:49 -07:00
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
Move elastic-recheck bot to status.o.o Also, normalize some parameters to the status manifest to make it more readable (since they follow the same pattern). And make the ssh config for elastic-recheck bot match reviewday. Change-Id: I2417f121e7b3685aab9540504cdd4c6db1754e67
2013-12-31 11:11:55 -08:00
recheck_bot_nick => 'openstackrecheck',
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from status. Change-Id: I676b3e74551ea11e1887ab4a03e12cb3ac4b2814
2015-10-16 14:26:49 -07:00
recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
Pass sysadmins list into node defs. Pass the sysadmins list into each node definition. This allows us to retrieve the data from hiera rather than hard coding it in the puppet manifests. Also, update test script to use bogus sysadmin data when testing. Change-Id: Ide3560f16bce4d66fb95cc5021fc879476e6a712 Reviewed-on: https://review.openstack.org/12512 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-06 10:32:48 -07:00
}
Add node definition for static.openstack.org. Add node definition for static.openstack.org and create first simple implementation of what the static.openstack.org host would look like. Change-Id: I04952154246c4985e7ff44909e892918a1336fba Reviewed-on: https://review.openstack.org/11193 Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-08-10 15:38:08 -07:00
}
Add an authoritative hidden master This runs bind as a hidden master nameserver so we can do all the keysigning there, and then use nsd (or bind) as public authoritative slaves. Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1
2017-12-15 16:20:56 -08:00
# This is a hidden authoritative master nameserver, not publicly
# accessible.
# Node-OS: xenial
node /^adns\d+\.openstack\.org$/ {
$group = 'adns'
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_allowed_hosts => [
{protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
Add ns2.openstack.org adns1 should allow axfr and notify it. Change-Id: Icef40946acbef78387d539d82158bc6d57610328
2017-12-20 10:48:59 -08:00
{protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
Add an authoritative hidden master This runs bind as a hidden master nameserver so we can do all the keysigning there, and then use nsd (or bind) as public authoritative slaves. Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1
2017-12-15 16:20:56 -08:00
],
}
class { 'openstack_project::master_nameserver':
tsig_key => hiera('tsig_key', {}),
dnssec_keys => hiera_hash('dnssec_keys', {}),
Revert "Add ns3.openstack.org" This reverts commit bb1b450c3061e08c12bfe217519fbfa51f60f2b2. This is no longer needed (it was used for testing). Change-Id: I81bb639860d042b839493c390c859a73a47362f0
2017-12-21 16:38:35 -08:00
notifies => concat(dns_a('ns1.openstack.org'), dns_a('ns2.openstack.org')),
Add an authoritative hidden master This runs bind as a hidden master nameserver so we can do all the keysigning there, and then use nsd (or bind) as public authoritative slaves. Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1
2017-12-15 16:20:56 -08:00
}
}
# These are publicly accessible authoritative slave nameservers.
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090
2017-12-12 13:20:36 -08:00
# Node-OS: xenial
node /^ns\d+\.openstack\.org$/ {
$group = 'ns'
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_udp_ports => [53],
Make ns*.openstack.org authoritative slaves Slaved to adns1.openstack.org, our hidden master. Change-Id: I12e29506b1ae589db045830f3b866654b6647a58
2017-12-18 15:59:48 -08:00
iptables_public_tcp_ports => [53],
}
$tsig_key = hiera('tsig_key', {})
if $tsig_key != {} {
$tsig_name = 'tsig'
nsd::tsig { 'tsig':
algo => $tsig_key[algorithm],
data => $tsig_key[secret],
}
} else {
$tsig_name = undef
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090
2017-12-12 13:20:36 -08:00
}
class { '::nsd':
Make ns*.openstack.org authoritative slaves Slaved to adns1.openstack.org, our hidden master. Change-Id: I12e29506b1ae589db045830f3b866654b6647a58
2017-12-18 15:59:48 -08:00
ip_addresses => [ $::ipaddress, $::ipaddress6 ],
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090
2017-12-12 13:20:36 -08:00
zones => {
Make ns*.openstack.org authoritative slaves Slaved to adns1.openstack.org, our hidden master. Change-Id: I12e29506b1ae589db045830f3b866654b6647a58
2017-12-18 15:59:48 -08:00
'adns1_zones' => {
allow_notify => dns_a('adns1.openstack.org'),
masters => dns_a('adns1.openstack.org'),
zones => ['zuul-ci.org'],
tsig_name => $tsig_name,
}
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090
2017-12-12 13:20:36 -08:00
}
}
}
Run nodepool on Ubuntu Trusty The nodepool.openstack.org server is now running on Ubuntu Trusty, so test its manifest accordingly. Change-Id: I08784812c28838233bcbc0ed6a80e8aa81b1568b
2015-01-15 22:06:20 +00:00
# Node-OS: trusty
Add nodepool host Change-Id: Ib216bd400aa269ccdb17848b3870ab65400cf3d2
2013-08-15 17:52:52 +00:00
node 'nodepool.openstack.org' {
Add nodepool hiera group Also sort the groups. Change-Id: I6c8718894c065549d5dfb37dae26a9c157c9cb09
2016-11-23 11:27:16 -08:00
$group = 'nodepool'
Preform housekeeping on git repos cloned by DIB Over time out git repos get large and require some upkeep. Ideally this should be done in the source-repositories element. We can revert this code once we have landed that upstream. Change-Id: I6b9ecd4448d97b5ab2bf3808ff36ff4e74be72e4 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-10-15 09:48:10 -04:00
# TODO(pabelanger): Move all of this back into nodepool manifest, it has
# grown too big.
Add omfracloud to nodepool This adds the omfracloud jenkins account credentials to nodepool. I'm not pleased with the file resource in the node definition, but that node definiton grew huge and needs a refactor anyways so we can do that when we do it. I have verified that the correct keys are in hiera. Change-Id: Iafca5e86f72321c6aa7bef748ac2b1942539d15f
2016-02-02 19:21:44 -08:00
$rackspace_username = hiera('nodepool_rackspace_username', 'username')
$rackspace_password = hiera('nodepool_rackspace_password')
$rackspace_project = hiera('nodepool_rackspace_project', 'project')
$hpcloud_username = hiera('nodepool_hpcloud_username', 'username')
$hpcloud_password = hiera('nodepool_hpcloud_password')
$hpcloud_project = hiera('nodepool_hpcloud_project', 'project')
$internap_username = hiera('nodepool_internap_username', 'username')
$internap_password = hiera('nodepool_internap_password')
$internap_project = hiera('nodepool_internap_project', 'project')
$ovh_username = hiera('nodepool_ovh_username', 'username')
$ovh_password = hiera('nodepool_ovh_password')
$ovh_project = hiera('nodepool_ovh_project', 'project')
$tripleo_username = hiera('nodepool_tripleo_username', 'username')
$tripleo_password = hiera('nodepool_tripleo_password')
$tripleo_project = hiera('nodepool_tripleo_project', 'project')
Add chocolate params and resources to Nodepool node Change-Id: Ib78594628ed3d2b780915fb50bb3943e10452ef5
2016-09-28 14:03:12 +02:00
$infracloud_vanilla_username = hiera('nodepool_infracloud_vanilla_username', 'username')
$infracloud_vanilla_password = hiera('nodepool_infracloud_vanilla_password')
$infracloud_vanilla_project = hiera('nodepool_infracloud_vanilla_project', 'project')
$infracloud_chocolate_username = hiera('nodepool_infracloud_chocolate_username', 'username')
$infracloud_chocolate_password = hiera('nodepool_infracloud_chocolate_password')
$infracloud_chocolate_project = hiera('nodepool_infracloud_chocolate_project', 'project')
Add vexxhost cloud credentials Add vexxhost account credentials to our various clouds.yaml files. This covers the all clouds, ansible, and nodepool clouds.yaml files. With this in place we can work to deploying tests onto vexxhost. Change-Id: I42101e9acc9f62897a3f63b85dd34a14adcf2394
2016-03-01 15:36:35 -08:00
$vexxhost_username = hiera('nodepool_vexxhost_username', 'username')
$vexxhost_password = hiera('nodepool_vexxhost_password')
$vexxhost_project = hiera('nodepool_vexxhost_project', 'project')
Add citycloud cloud Change-Id: Ibcaeb3bfdbca8625064ec74dfed486516f4e0279
2016-10-12 15:27:08 -07:00
$citycloud_username = hiera('nodepool_citycloud_username', 'username')
$citycloud_password = hiera('nodepool_citycloud_password')
Add omfracloud to nodepool This adds the omfracloud jenkins account credentials to nodepool. I'm not pleased with the file resource in the node definition, but that node definiton grew huge and needs a refactor anyways so we can do that when we do it. I have verified that the correct keys are in hiera. Change-Id: Iafca5e86f72321c6aa7bef748ac2b1942539d15f
2016-02-02 19:21:44 -08:00
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
Add iptables rule for zookeeper on nodepool.o.o We need to allow access to zookeeper from nb01.o.o. Change-Id: I03fb205544fb27253c6227823858ed92cea9b258 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-11-28 21:47:10 -05:00
Moved out the server class from the nodepool_prod class Change-Id: I976b518def0e4213c9488fc5b65cd38e02830a79 Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-20 13:39:09 -04:00
class { 'openstack_project::server':
Switch nodepool.o.o to use iptables_allowed_hosts Stop adding DNS entries to firewall rules, we added support to resolve them into IP addresses. Change-Id: I6fc70f60563704e7ee223f30ec023936c79d7818 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-01-17 11:07:37 -05:00
iptables_allowed_hosts => [
{protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuulv3.openstack.org'},
],
Moved out the server class from the nodepool_prod class Change-Id: I976b518def0e4213c9488fc5b65cd38e02830a79 Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html
2015-05-20 13:39:09 -04:00
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80],
}
Set ZooKeeper purge_interval for on nodepool.o.o Set ZooKeeper's autopurge.purgeInterval to 6 hours for nodepool.openstack.org to limit the number of ZK snapshots kept. These will quickly fill the disk in production if this is not enabled. The purge_interval class parameter determines the frequency in hours to look for and purge old snapshots, defaulting to 0 (disabled). The number of retained snapshots can be separately controlled through snap_retain_count but already defaults to a sane value of 3 (the minimum supported for autopurge.snapRetainCount). Change-Id: If84094641add539a815718ae604729fe6f0545cd
2017-10-02 18:13:11 +00:00
class { '::zookeeper':
# The frequency in hours to look for and purge old snapshots,
# defaults to 0 (disabled). The number of retained snapshots can
# be separately controlled through snap_retain_count and
# defaults to the minimum value of 3. This will quickly fill the
# disk in production if not enabled. Works on ZK >=3.4.
purge_interval => 6,
}
Add zookeeper to nodepool.o.o This is our initial commit for adding zookeeper to Nodepool. Right now this is the most basic configuration needed to start zookeeper. As we move forward, I expect us to change out for default settings. Change-Id: I22640a91dc51d4318e6cc055177c879fa380cc4f Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-06-01 13:36:27 -04:00
include openstack_project for jenkins public key We need to include opentack_project on nodepool.o.o so we can reference the jenkins vars for the public SSH key. Change-Id: I3aaaaf711917eabdaf5dc7ce4313c05fea22c7ce Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-26 16:51:37 -04:00
include openstack_project
Migrate to puppet-openstackci openstackci::nodepool Manage nodepool configurations using the common-ci solution in puppet-openstackci Remove nodepool.yaml.erb from this repo as openstackci::nodepool will pull it in from project-config/nodepool/nodepool.yaml Remove the tox nodepool environment and test dependency as it has been migrated to project-config The nodepool logging template file and associated tool that generates the file will remain in this repo. In the short term, updates to nodepool.yaml in project-config repo may require a related change in this repo to update the logging configuration. In the longer term, nodepool will be updated to automatically log image creations without needing a customized logging configuration. Depends-on: I89207d100eb4b6bbb502a6ed38831f49e4b29096 Depends-on: I473a1b78acdb035eb379394a7ed5f771434dc942 Depends-on: I6b01ab7260a41927fff34b9b81b631ea2c933f22 Change-Id: I2b45a7145805368b1598d3a3e8a94f0e4eb8cf2d
2015-10-29 03:21:16 -07:00
class { '::openstackci::nodepool':
Provide separate nodepool builder log config Now that the nodepool builder is running as a separate daemon it needs its own log config file. Move the auto generated nodepool logging config stuff over to the new builder logging config as we can manage the main daemon's logging config by hand trivially now. Depends-On: I013835621dfbc311a0f7bd7c957b7d4656dfa628 Change-Id: Ic1da30eab949876e5bd6c88e83979bdedc6dd50a
2016-01-28 16:13:54 -08:00
vhost_name => 'nodepool.openstack.org',
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
mysql_password => hiera('nodepool_mysql_password'),
mysql_root_password => hiera('nodepool_mysql_root_password'),
Add zuul-worker public key to nodepool.o.o We need to do this over a series of commits, to make sure we don't break things. Here we are adding the new public key for our zuul-worker images. This is used by the zuul user in our DIB images. Change-Id: I948b9c49d3c9eb719a448205146e290148906b8c Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-31 14:46:34 -04:00
nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
# TODO(pabelanger): Switch out private key with zuul_worker once we are
# ready.
Provide separate nodepool builder log config Now that the nodepool builder is running as a separate daemon it needs its own log config file. Move the auto generated nodepool logging config stuff over to the new builder logging config as we can manage the main daemon's logging config by hand trivially now. Depends-On: I013835621dfbc311a0f7bd7c957b7d4656dfa628 Change-Id: Ic1da30eab949876e5bd6c88e83979bdedc6dd50a
2016-01-28 16:13:54 -08:00
nodepool_ssh_private_key => hiera('jenkins_ssh_private_key_contents'),
oscc_file_contents => $clouds_yaml,
image_log_document_root => '/var/log/nodepool/image',
statsd_host => 'graphite.openstack.org',
logging_conf_template => 'openstack_project/nodepool/nodepool.logging.conf.erb',
builder_logging_conf_template => 'openstack_project/nodepool/nodepool-builder.logging.conf.erb',
Bump nodepool-builder to 16 upload-workers Change-Id: Ifa8cd7b909d119cdbb3ebe5e5eb6c13ce7a140a2 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-05-12 15:18:49 -04:00
upload_workers => '16',
Decomission jenkins05 - jenkins07 These are our final jenkins masters. Change-Id: I89d0bb25088c9e3fa8bab51175b241302bd9a97d Depends-On: I6c8c3ac41f2d5fb3887d86ec5e1ecddc8273109f
2016-06-16 13:30:16 -07:00
jenkins_masters => [],
Add split daemon support for nodepool Allow nodepool to launch 3 process, instead of 1. This is to overcome capacity issues with a single process. Change-Id: I6a33359d8b488be6a44b09078401de02d68ef79e Depends-On: Ibe41ce3c488da9cd68d8833b61fd42682f0b4e73 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-10-05 17:28:33 -04:00
split_daemon => true,
Add nodepool host Change-Id: Ib216bd400aa269ccdb17848b3870ab65400cf3d2
2013-08-15 17:52:52 +00:00
}
Rename nodepool infracloud cacert from west to vanilla Change-Id: Ibdedc7dc24b1bb03bb4a25de1f8828cc9722d748
2016-08-24 12:38:45 +02:00
file { '/home/nodepool/.config/openstack/infracloud_vanilla_cacert.pem':
Put infracloud cert next to nodepool clouds.yaml We are installing a cert to trust the infracloud but were trying to put it in a dir that does not exist. Put it next to the clouds.yaml in ~nodepool/.config/openstack as that will exist because nodepool consumes clouds.yaml from there. Change-Id: I27e1a1d340e9864308c89c660ae014d7110fbe9f
2016-02-23 13:02:49 -08:00
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
Replace hpuswest naming for vanilla on hiera keys Change-Id: Ia2f0164b2c28a03281f50a8ec680c48e51c051f0
2016-08-23 12:36:18 +02:00
content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
Put infracloud cert next to nodepool clouds.yaml We are installing a cert to trust the infracloud but were trying to put it in a dir that does not exist. Put it next to the clouds.yaml in ~nodepool/.config/openstack as that will exist because nodepool consumes clouds.yaml from there. Change-Id: I27e1a1d340e9864308c89c660ae014d7110fbe9f
2016-02-23 13:02:49 -08:00
require => Class['::openstackci::nodepool'],
}
Add chocolate params and resources to Nodepool node Change-Id: Ib78594628ed3d2b780915fb50bb3943e10452ef5
2016-09-28 14:03:12 +02:00
file { '/home/nodepool/.config/openstack/infracloud_chocolate_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool'],
}
Preform housekeeping on git repos cloned by DIB Over time out git repos get large and require some upkeep. Ideally this should be done in the source-repositories element. We can revert this code once we have landed that upstream. Change-Id: I6b9ecd4448d97b5ab2bf3808ff36ff4e74be72e4 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-10-15 09:48:10 -04:00
cron { 'mirror_gitgc':
user => 'nodepool',
hour => '20',
minute => '0',
Limit depth on git cleanup nodepool is getting cron errors fatal: bad numeric config value 'no' for 'gc.auto' in /opt/dib_cache/source-repositories/deb_python_pygit2_... /test/data/testrepo.git/config: invalid unit as it is picking up [1]. What are the odds?! Limit the search to -depth 1 to avoid going any further than top-level directorires. [1] https://git.openstack.org/cgit/openstack/deb-python-pygit2/tree/test/data/testrepo.git/config Change-Id: I062805fe142610c7b3ab2eb422a230f7296cbca5
2017-04-12 09:20:39 +10:00
command => 'find /opt/dib_cache/source-repositories/ -maxdepth 1 -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
Preform housekeeping on git repos cloned by DIB Over time out git repos get large and require some upkeep. Ideally this should be done in the source-repositories element. We can revert this code once we have landed that upstream. Change-Id: I6b9ecd4448d97b5ab2bf3808ff36ff4e74be72e4 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-10-15 09:48:10 -04:00
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
require => Class['::openstackci::nodepool'],
Add chocolate params and resources to Nodepool node Change-Id: Ib78594628ed3d2b780915fb50bb3943e10452ef5
2016-09-28 14:03:12 +02:00
}
Add nodepool host Change-Id: Ib216bd400aa269ccdb17848b3870ab65400cf3d2
2013-08-15 17:52:52 +00:00
}
Add nl01.openstack.org server Stand up a server we'll be using for nodepool (zuulv3) testing. We'll be using this for the Atlanta PTG with the goal of moving it into production when our feature/zuulv3 branch is merged into master for nodepool. Change-Id: I7a3edb871510d1000a9bbf06944551d4b272ac8d Depends-On: I29e661e38e9a2a56a01a1c30f1dc1eae97a4de7b Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-02-07 10:48:57 -05:00
# Node-OS: trusty
# Node-OS: xenial
node /^nl\d+\.openstack\.org$/ {
$group = 'nodepool'
# TODO(pabelanger): Move all of this back into nodepool manifest, it has
# grown too big.
$rackspace_username = hiera('nodepool_rackspace_username', 'username')
$rackspace_password = hiera('nodepool_rackspace_password')
$rackspace_project = hiera('nodepool_rackspace_project', 'project')
$hpcloud_username = hiera('nodepool_hpcloud_username', 'username')
$hpcloud_password = hiera('nodepool_hpcloud_password')
$hpcloud_project = hiera('nodepool_hpcloud_project', 'project')
$internap_username = hiera('nodepool_internap_username', 'username')
$internap_password = hiera('nodepool_internap_password')
$internap_project = hiera('nodepool_internap_project', 'project')
$ovh_username = hiera('nodepool_ovh_username', 'username')
$ovh_password = hiera('nodepool_ovh_password')
$ovh_project = hiera('nodepool_ovh_project', 'project')
$tripleo_username = hiera('nodepool_tripleo_username', 'username')
$tripleo_password = hiera('nodepool_tripleo_password')
$tripleo_project = hiera('nodepool_tripleo_project', 'project')
$infracloud_vanilla_username = hiera('nodepool_infracloud_vanilla_username', 'username')
$infracloud_vanilla_password = hiera('nodepool_infracloud_vanilla_password')
$infracloud_vanilla_project = hiera('nodepool_infracloud_vanilla_project', 'project')
$infracloud_chocolate_username = hiera('nodepool_infracloud_chocolate_username', 'username')
$infracloud_chocolate_password = hiera('nodepool_infracloud_chocolate_password')
$infracloud_chocolate_project = hiera('nodepool_infracloud_chocolate_project', 'project')
$vexxhost_username = hiera('nodepool_vexxhost_username', 'username')
$vexxhost_password = hiera('nodepool_vexxhost_password')
$vexxhost_project = hiera('nodepool_vexxhost_project', 'project')
$citycloud_username = hiera('nodepool_citycloud_username', 'username')
$citycloud_password = hiera('nodepool_citycloud_password')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
}
include openstack_project
class { '::openstackci::nodepool_launcher':
Add nodepool SSH private key to nl01.o.o Change-Id: Ifee0499809f7dbde0c9f82518adb39042191ec3f Depends-On: I148af66c52d515c030c3618b7d276febe97e5b57 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-02-20 13:46:36 -05:00
nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
oscc_file_contents => $clouds_yaml,
statsd_host => 'graphite.openstack.org',
revision => 'feature/zuulv3',
Move nl01.o.o to py3 In preparation of moving nodepool for zuulv3 to support only python 3, we need to move nl01 from py2 to py3 before we can remove the py2 nodepool jobs. Change-Id: I887cde9d0f6d304e63a9a9186c5298ccc78d0335 Depends-On: Icac77f88e411a3ac08fc54afb4e9746039f908e8
2017-07-19 11:21:35 -04:00
python_version => 3,
Add nl01.openstack.org server Stand up a server we'll be using for nodepool (zuulv3) testing. We'll be using this for the Atlanta PTG with the goal of moving it into production when our feature/zuulv3 branch is merged into master for nodepool. Change-Id: I7a3edb871510d1000a9bbf06944551d4b272ac8d Depends-On: I29e661e38e9a2a56a01a1c30f1dc1eae97a4de7b Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-02-07 10:48:57 -05:00
}
file { '/home/nodepool/.config/openstack/infracloud_vanilla_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_launcher'],
}
file { '/home/nodepool/.config/openstack/infracloud_chocolate_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_launcher'],
}
}
Add nb01.o.o / nb02.o.o as feature/zuulv3 Bring back online nb01 and nb02 so we can test feature/zuulv3 branch for nodepool-builder. This will allow us to rotate between master / feature/zuulv3 builders at the PTG. Change-Id: Ic66765fc16478434dea2ce865990f62625a354a9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-07 15:01:07 -04:00
# Node-OS: xenial
node /^nb0[12].openstack\.org$/ {
$group = 'nodepool'
# TODO(pabelanger): Move all of this back into nodepool manifest, it has
# grown too big.
$rackspace_username = hiera('nodepool_rackspace_username', 'username')
$rackspace_password = hiera('nodepool_rackspace_password')
$rackspace_project = hiera('nodepool_rackspace_project', 'project')
$hpcloud_username = hiera('nodepool_hpcloud_username', 'username')
$hpcloud_password = hiera('nodepool_hpcloud_password')
$hpcloud_project = hiera('nodepool_hpcloud_project', 'project')
$internap_username = hiera('nodepool_internap_username', 'username')
$internap_password = hiera('nodepool_internap_password')
$internap_project = hiera('nodepool_internap_project', 'project')
$ovh_username = hiera('nodepool_ovh_username', 'username')
$ovh_password = hiera('nodepool_ovh_password')
$ovh_project = hiera('nodepool_ovh_project', 'project')
$tripleo_username = hiera('nodepool_tripleo_username', 'username')
$tripleo_password = hiera('nodepool_tripleo_password')
$tripleo_project = hiera('nodepool_tripleo_project', 'project')
$infracloud_vanilla_username = hiera('nodepool_infracloud_vanilla_username', 'username')
$infracloud_vanilla_password = hiera('nodepool_infracloud_vanilla_password')
$infracloud_vanilla_project = hiera('nodepool_infracloud_vanilla_project', 'project')
$infracloud_chocolate_username = hiera('nodepool_infracloud_chocolate_username', 'username')
$infracloud_chocolate_password = hiera('nodepool_infracloud_chocolate_password')
$infracloud_chocolate_project = hiera('nodepool_infracloud_chocolate_project', 'project')
$vexxhost_username = hiera('nodepool_vexxhost_username', 'username')
$vexxhost_password = hiera('nodepool_vexxhost_password')
$vexxhost_project = hiera('nodepool_vexxhost_project', 'project')
$citycloud_username = hiera('nodepool_citycloud_username', 'username')
$citycloud_password = hiera('nodepool_citycloud_password')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80],
}
include openstack_project
class { '::openstackci::nodepool_builder':
nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
vhost_name => $::fqdn,
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
oscc_file_contents => $clouds_yaml,
image_log_document_root => '/var/log/nodepool/image',
statsd_host => 'graphite.openstack.org',
builder_logging_conf_template => 'openstack_project/nodepool/nodepool-builder.logging.conf.erb',
upload_workers => '16',
revision => 'feature/zuulv3',
Enable python3 support on nb01 / nb02 We currently only support python3 on feature/zuulv3 branch for nodepool. Change-Id: Ibb346819371df748eb5b1d4d9004b56fe8956f72 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-01-16 15:05:26 -05:00
python_version => 3,
Add nb01.o.o / nb02.o.o as feature/zuulv3 Bring back online nb01 and nb02 so we can test feature/zuulv3 branch for nodepool-builder. This will allow us to rotate between master / feature/zuulv3 builders at the PTG. Change-Id: Ic66765fc16478434dea2ce865990f62625a354a9 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-07 15:01:07 -04:00
}
file { '/home/nodepool/.config/openstack/infracloud_vanilla_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_builder'],
}
file { '/home/nodepool/.config/openstack/infracloud_chocolate_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_builder'],
}
cron { 'mirror_gitgc':
user => 'nodepool',
hour => '20',
minute => '0',
command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
require => Class['::openstackci::nodepool_builder'],
}
}
Add nodepool builder nodes This supports our first independent nodepool builder server. It will run the zuulv3 branch in parallel with the current master/ production branch to start. Change-Id: Ic2fe4c6ac66cdeed909dd0aba35f233b61e270b1 Depends-On: I9d45d1e0ab2bcacdf9609329b88e7de45f827f74
2016-11-22 15:11:32 -08:00
# Node-OS: trusty
# Node-OS: xenial
Update regex for nb03.o.o / nb04.o.o We want to keep nb03 / nb04 running master branch of nodepool, but be able to bring on nb01.o.o / nb02.o.o as a different branch. Change-Id: Ic9714b616595ca4bcf84c725d3ded5d42d71c5b1 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-07 14:58:42 -04:00
node /^nb0[34].openstack\.org$/ {
Add nodepool hiera group Also sort the groups. Change-Id: I6c8718894c065549d5dfb37dae26a9c157c9cb09
2016-11-23 11:27:16 -08:00
$group = 'nodepool'
Add nodepool builder nodes This supports our first independent nodepool builder server. It will run the zuulv3 branch in parallel with the current master/ production branch to start. Change-Id: Ic2fe4c6ac66cdeed909dd0aba35f233b61e270b1 Depends-On: I9d45d1e0ab2bcacdf9609329b88e7de45f827f74
2016-11-22 15:11:32 -08:00
# TODO(pabelanger): Move all of this back into nodepool manifest, it has
# grown too big.
$rackspace_username = hiera('nodepool_rackspace_username', 'username')
$rackspace_password = hiera('nodepool_rackspace_password')
$rackspace_project = hiera('nodepool_rackspace_project', 'project')
$hpcloud_username = hiera('nodepool_hpcloud_username', 'username')
$hpcloud_password = hiera('nodepool_hpcloud_password')
$hpcloud_project = hiera('nodepool_hpcloud_project', 'project')
$internap_username = hiera('nodepool_internap_username', 'username')
$internap_password = hiera('nodepool_internap_password')
$internap_project = hiera('nodepool_internap_project', 'project')
$ovh_username = hiera('nodepool_ovh_username', 'username')
$ovh_password = hiera('nodepool_ovh_password')
$ovh_project = hiera('nodepool_ovh_project', 'project')
$tripleo_username = hiera('nodepool_tripleo_username', 'username')
$tripleo_password = hiera('nodepool_tripleo_password')
$tripleo_project = hiera('nodepool_tripleo_project', 'project')
$infracloud_vanilla_username = hiera('nodepool_infracloud_vanilla_username', 'username')
$infracloud_vanilla_password = hiera('nodepool_infracloud_vanilla_password')
$infracloud_vanilla_project = hiera('nodepool_infracloud_vanilla_project', 'project')
$infracloud_chocolate_username = hiera('nodepool_infracloud_chocolate_username', 'username')
$infracloud_chocolate_password = hiera('nodepool_infracloud_chocolate_password')
$infracloud_chocolate_project = hiera('nodepool_infracloud_chocolate_project', 'project')
$vexxhost_username = hiera('nodepool_vexxhost_username', 'username')
$vexxhost_password = hiera('nodepool_vexxhost_password')
$vexxhost_project = hiera('nodepool_vexxhost_project', 'project')
$citycloud_username = hiera('nodepool_citycloud_username', 'username')
$citycloud_password = hiera('nodepool_citycloud_password')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80],
}
include openstack_project
class { '::openstackci::nodepool_builder':
Add SSH public key to nodepool-builder Since we use DIB elements to create our zuul user, we also need to have our SSH public key on disk. Other wise, diskimage builds will fail. Change-Id: I9dec17fe8937eca363cafb636cb2dd4359e5edc2 Depends-On: Ic80f2337d42ea228496b4dafcf32303fbc2ef3e5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-11-29 11:19:26 -05:00
nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
Add nodepool builder nodes This supports our first independent nodepool builder server. It will run the zuulv3 branch in parallel with the current master/ production branch to start. Change-Id: Ic2fe4c6ac66cdeed909dd0aba35f233b61e270b1 Depends-On: I9d45d1e0ab2bcacdf9609329b88e7de45f827f74
2016-11-22 15:11:32 -08:00
vhost_name => $::fqdn,
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
oscc_file_contents => $clouds_yaml,
image_log_document_root => '/var/log/nodepool/image',
statsd_host => 'graphite.openstack.org',
builder_logging_conf_template => 'openstack_project/nodepool/nodepool-builder.logging.conf.erb',
upload_workers => '16',
}
file { '/home/nodepool/.config/openstack/infracloud_vanilla_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_builder'],
}
file { '/home/nodepool/.config/openstack/infracloud_chocolate_cacert.pem':
ensure => present,
owner => 'nodepool',
group => 'nodepool',
mode => '0600',
content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
require => Class['::openstackci::nodepool_builder'],
}
cron { 'mirror_gitgc':
user => 'nodepool',
hour => '20',
minute => '0',
command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
require => Class['::openstackci::nodepool_builder'],
}
}
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
# Node-OS: xenial
node /^ze\d+\.openstack\.org$/ {
Create zuul-executor hiera group We'll use this to share common secrets between zuul-executors. Change-Id: Ib15a010ccf4cb9d2ee42a8322d4b85af1d338301 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-06 12:36:44 -04:00
$group = "zuul-executor"
Add static private key to zuul-executor So that trusted playbooks can copy content to logs.openstack.org put the ssh private key for the existing jenkins@static.openstack.org user on the zuul executors. Change-Id: Id11007c48178f32dc3bffe1c102d991bad9294c7
2017-06-27 13:36:16 -07:00
$gerrit_server = 'review.openstack.org'
$gerrit_user = 'zuul'
$gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
$gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
$zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
$zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
$git_email = 'zuul@openstack.org'
$git_name = 'OpenStack Zuul'
$revision = 'feature/zuulv3'
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
class { 'openstack_project::server':
Zuul executor needs to open port 7900 now. Keep both ports open for the transition, then will remove port 79 later. Change-Id: I66a669487182c42fa86c6ce2779c3b5e6f3a204b
2018-01-10 20:56:47 -05:00
iptables_public_tcp_ports => [79, 7900],
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
sysadmins => hiera('sysadmins', []),
Install AFS client on ze* Change-Id: I0e235dff3304410337beaa720be75db9c75678a1
2017-08-30 19:57:12 -05:00
afs => true,
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
}
Add site_variables_yaml_file to ze01.o.o This now properly adds site_variables_yaml_file to the ::zuul class. Change-Id: I4b78ee9140a715da137215f678bc0d8ad8229836 Depends-On: I734f2c338ceab2b1da2a3245423cb912b7dd8c00 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-03 21:05:14 -04:00
class { '::project_config':
url => 'https://git.openstack.org/openstack-infra/project-config',
}
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
# settings.
class { '::zuul':
Add site_variables_yaml_file to ze01.o.o This now properly adds site_variables_yaml_file to the ::zuul class. Change-Id: I4b78ee9140a715da137215f678bc0d8ad8229836 Depends-On: I734f2c338ceab2b1da2a3245423cb912b7dd8c00 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-03 21:05:14 -04:00
gearman_server => 'zuulv3.openstack.org',
gerrit_server => $gerrit_server,
gerrit_user => $gerrit_user,
zuul_ssh_private_key => $gerrit_ssh_private_key,
git_email => $git_email,
git_name => $git_name,
worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
revision => $revision,
python_version => 3,
zookeeper_hosts => 'nodepool.openstack.org:2181',
zuulv3 => true,
connections => hiera('zuul_connections', []),
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
gearman_ssl_ca => hiera('gearman_ssl_ca'),
Add /etc/openafs/ to trusted_ro_paths for zuul-executor We should no depend on this long term and write a proper ansible role to setup this directly within bubblewrap. Change-Id: I067658b62fe41fee98683c1974d9242e760443da Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-31 12:44:03 -04:00
#TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
# properly. We need to revisting this post Queens PTG.
Revert "Add /usr/share/ca-certificates to trusted_ro_paths" This reverts commit ef6754bc658fcf38563c9f3e34f3b31ebc6581cb. Bubblewrap already bind-mounts /usr into the chroot, so this was redundant (the problem prompting its addition seems to be unrelated and was not fixed this way). Change-Id: I1ff16b675d20a5a69c9fad7710cc9b05dd09d451
2017-10-23 15:37:44 +00:00
trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
Add /afs to trusted_rw_paths AFS jobs for zuulv3 will need write access to this directory. Change-Id: Ia852a7c26ed3de76259b66d559c25ae64d54531a Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-31 19:08:23 -04:00
trusted_rw_paths => ['/afs'],
Also add /etc/ssl/certs to untrusted_ro_paths Change Ib662afbc0e3375a2d461ef7fc6e7e4f8741a700c added /etc/ssl/certs to trusted_ro_paths, but we also have untrusted playbooks which need to be able to validate X.509 server certificates for HTTPS so it needs to be in the untrusted_ro_paths list as well. Change-Id: Ia0519ea2c821be63f6193754144d729cf5818152
2017-10-23 15:41:10 +00:00
untrusted_ro_paths => ['/etc/ssl/certs'],
Bump zuul v3 executor disk limit We need to work out what the real value of this is, but for the migration open it fairly wide. Change-Id: I3486d5a3f398a228d204c7987acd44967a9e8d20
2017-09-22 15:13:06 -05:00
disk_limit_per_job => 5000, # Megabytes
Add site_variables_yaml_file to ze01.o.o This now properly adds site_variables_yaml_file to the ::zuul class. Change-Id: I4b78ee9140a715da137215f678bc0d8ad8229836 Depends-On: I734f2c338ceab2b1da2a3245423cb912b7dd8c00 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-03 21:05:14 -04:00
site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
require => $::project_config::config_dir,
Add statsd_host to zuulv3.o.o, zuul-mergers and zuul-executors If we want to send stats to graphite.o.o, we need to properly configure it. Change-Id: I7d19cec397e9f8aa83a07a887f29dc3f1e0bb8a2 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-10-15 20:40:26 -04:00
statsd_host => 'graphite.openstack.org',
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
}
Revert "Add site-variable yaml file to ze01.o.o" This isn't actually correct, we'll need to add it into ::zuul manifest to access zuul.conf file. This reverts commit e323bf97f7672bbe324743c9b255ccf02f56fc3c. Change-Id: I7983ff9cfaea1ee6d3b099824b5f31df98ce72a5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-08-03 21:01:44 -04:00
class { '::zuul::executor': }
Add gerrit information to ze01.o.o Because zuul-executors do merging too, we need to populate both ssh keys for gerrit and how to connect to gerrit. Change-Id: Ifde6f01ab509495a373b77677883625e80d3b2ab Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-07 14:07:52 -04:00
Install gear for python2 on zuul executors We need to be able to use it from a module on the executors. Change-Id: If4e84deb6abdd34bc6e2850f72d375daf04373d0
2017-09-11 12:20:17 -06:00
# This is used by the log job submission playbook which runs under
# python2
package { 'gear':
ensure => latest,
provider => openstack_pip,
require => Class['pip'],
}
Add gerrit information to ze01.o.o Because zuul-executors do merging too, we need to populate both ssh keys for gerrit and how to connect to gerrit. Change-Id: Ifde6f01ab509495a373b77677883625e80d3b2ab Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-07 14:07:52 -04:00
file { '/var/lib/zuul/ssh/nodepool_id_rsa':
owner => 'zuul',
group => 'zuul',
mode => '0400',
require => File['/var/lib/zuul/ssh'],
content => $zuul_ssh_private_key,
}
Add ssh known_hosts to ze01.o.o Ensure known_hosts is managed by puppet and contains the correct values for review.o.o. Change-Id: I9a020773cfa5000969b5c18e8f7d7a1df60f8f02 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-08 17:59:26 -04:00
Add static private key to zuul-executor So that trusted playbooks can copy content to logs.openstack.org put the ssh private key for the existing jenkins@static.openstack.org user on the zuul executors. Change-Id: Id11007c48178f32dc3bffe1c102d991bad9294c7
2017-06-27 13:36:16 -07:00
file { '/var/lib/zuul/ssh/static_id_rsa':
owner => 'zuul',
group => 'zuul',
mode => '0400',
require => File['/var/lib/zuul/ssh'],
content => $zuul_static_private_key,
}
Add ssh known_hosts to ze01.o.o Ensure known_hosts is managed by puppet and contains the correct values for review.o.o. Change-Id: I9a020773cfa5000969b5c18e8f7d7a1df60f8f02 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-08 17:59:26 -04:00
class { '::zuul::known_hosts':
Update ze01.o.o known_host file with proper IP addresses This was copypasta from zuul_merger.pp, it seems that data is no longer correct. First fix ze01.o.o and follow up with a patch to zuul_merger.pp after. Change-Id: Ia1a81d7f95040cd5179a3d1e4dc2621e40eec586 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-09 12:57:58 -04:00
known_hosts_content => "review.openstack.org,104.130.246.91,2001:4800:7819:103:be76:4eff:fe05:8525 ${gerrit_ssh_host_key}",
Add ssh known_hosts to ze01.o.o Ensure known_hosts is managed by puppet and contains the correct values for review.o.o. Change-Id: I9a020773cfa5000969b5c18e8f7d7a1df60f8f02 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-08 17:59:26 -04:00
}
Create ze01.openstack.org This server will be used to run zuul-executors on. We'll only launch a single service first so we can ensure it works before bringing more online. Change-Id: If0bdb26aeca68f992dce0dbed83008d6fa0bc5b9 Depends-On: Iddac03a7187df47d2c72d957a50610f8b6a1dff5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-01 16:06:22 -04:00
}
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
# Node-OS: xenial
node 'zuulv3.openstack.org' {
$gerrit_server = 'review.openstack.org'
$gerrit_user = 'zuul'
$gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
$zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
$zuul_url = "http://${::fqdn}/p"
$git_email = 'zuul@openstack.org'
$git_name = 'OpenStack Zuul'
$revision = 'feature/zuulv3'
Allow ze01.o.o access to gearman / add to cacti.o.o We also need to add gearman configuration to ze01.o.o Change-Id: I1ed1f7b41fb85ab831d2752d1de4a2d1dad00ec0 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-06 15:29:37 -04:00
$gearman_workers = [
'ze01.openstack.org',
Remove zl07-zl09; add ze02-ze04 Remove configuration for some unneeded v2 launchers and replace them with some v3 executors. Change-Id: I1cdef87d3fde9928f9b04ee4cbf704d671c9bee0
2017-08-16 08:59:10 -07:00
'ze02.openstack.org',
'ze03.openstack.org',
'ze04.openstack.org',
Support ze05.o.o to ze08.o.o Bring online 4 more zuul-executors for zuulv3.o.o. Change-Id: Ice42333f5c06f3ed0d32eeda65d09794a523f355 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-11 19:03:41 -04:00
'ze05.openstack.org',
'ze06.openstack.org',
'ze07.openstack.org',
'ze08.openstack.org',
Bring ze09.o.o and ze10.o.o online We are having load issues on our current 8 zuul-executors, bring online 2 more to help spread the load. It is possibl we need to do this a few times until we find the proper amount. Change-Id: I84b366e6c89ff3b7c4dfd5a363047b8573f4dd95 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-10-02 12:13:48 -04:00
'ze09.openstack.org',
'ze10.openstack.org',
Switch zm[1-4].o.o to zuulv3 The trusty based zm[1-4].o.o hosts have been removed and we are rebuilding them as Xenial for zuulv3. This switches the config for them. Change-Id: I050ce81e3f92b475c605a079e967837c42004f9c
2017-10-26 11:12:11 +11:00
'zm01.openstack.org',
'zm02.openstack.org',
'zm03.openstack.org',
'zm04.openstack.org',
Add zuulv3 mergers to zuulv3.o.o Allow zuulv3 mergers to talk to gearman on zuulv3.o.o. Change-Id: I148650f70f37eaf8f232e6ce893426254dcfdb2a Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-11 14:18:28 -04:00
'zm05.openstack.org',
'zm06.openstack.org',
'zm07.openstack.org',
'zm08.openstack.org',
Allow ze01.o.o access to gearman / add to cacti.o.o We also need to add gearman configuration to ze01.o.o Change-Id: I1ed1f7b41fb85ab831d2752d1de4a2d1dad00ec0 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-06 15:29:37 -04:00
]
$iptables_rules = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
class { 'openstack_project::server':
Open finger port for zuulv3 The zuul-fingergw process listens on port 79 for incoming finger requests to stream logs. Change-Id: I36cfd9651eaa2922ba5820b6657bffeccf26a6e7
2018-01-02 13:34:31 -05:00
iptables_public_tcp_ports => [79, 80, 443],
Allow ze01.o.o access to gearman / add to cacti.o.o We also need to add gearman configuration to ze01.o.o Change-Id: I1ed1f7b41fb85ab831d2752d1de4a2d1dad00ec0 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-06 15:29:37 -04:00
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
sysadmins => hiera('sysadmins', []),
}
class { '::project_config':
url => 'https://git.openstack.org/openstack-infra/project-config',
}
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
# settings.
class { '::zuul':
Add self-signed cert for zuulv3.o.o This was imported from local snake-oil cert generated by zuulv3.o.o. Also open 443 on firewall. Change-Id: Icfbf2097fd671763c5b3d2232fe77f7ff5a0cbca Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-07-28 15:04:00 -04:00
gerrit_server => $gerrit_server,
gerrit_user => $gerrit_user,
zuul_ssh_private_key => $zuul_ssh_private_key,
git_email => $git_email,
git_name => $git_name,
revision => $revision,
python_version => 3,
zookeeper_hosts => 'nodepool.openstack.org:2181',
Set zuul zookeeper session timeout to 40s The current max. Change-Id: I4dd37975fa9015f65dd165c8356ac03c8cbe054e Depends-On: I743bfa28d2faaa93bba6fc975d575696bd8a5a70
2017-09-28 10:44:41 -07:00
zookeeper_session_timeout => 40,
Add self-signed cert for zuulv3.o.o This was imported from local snake-oil cert generated by zuulv3.o.o. Also open 443 on firewall. Change-Id: Icfbf2097fd671763c5b3d2232fe77f7ff5a0cbca Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-07-28 15:04:00 -04:00
zuulv3 => true,
connections => hiera('zuul_connections', []),
connection_secrets => hiera('zuul_connection_secrets', []),
zuul_status_url => 'http://127.0.0.1:8001/openstack',
Update zuul_web_url Recent changes to zuul-web have tenant-scoped many of these urls. Puppet-zuul has been updated so that if we pass in this value, our URLs should map to the openstack tenant. Change-Id: I8df43eb1b58326248ea1cf0c3812a8b26d9ac108 Depends-On: Idd84facca4a0e0170234bf7d4ee2b42811f52b67
2017-12-08 14:50:26 -08:00
zuul_web_url => 'http://127.0.0.1:9000/openstack',
Add self-signed cert for zuulv3.o.o This was imported from local snake-oil cert generated by zuulv3.o.o. Also open 443 on firewall. Change-Id: Icfbf2097fd671763c5b3d2232fe77f7ff5a0cbca Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-07-28 15:04:00 -04:00
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
gearman_ssl_ca => hiera('gearman_ssl_ca'),
proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
Add statsd_host to zuulv3.o.o, zuul-mergers and zuul-executors If we want to send stats to graphite.o.o, we need to properly configure it. Change-Id: I7d19cec397e9f8aa83a07a887f29dc3f1e0bb8a2 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-10-15 20:40:26 -04:00
statsd_host => 'graphite.openstack.org',
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
}
Write github app key to a file on disk The app_key config entry for zuul actually wants a path to a file, not the key content itself. Write it to disk and update the config. Do the file writing in site.pp and not puppet-zuul because it's an arbitrary filename/content. A zuul user could have zero or many github connections, and the connection data is stored in a hash in hiera, so there's not a super great way to add key writing support to puppet-zuul itself at the moment. It's also a single file. Change-Id: I43f93f59b9a82186a60734810a277edeac67bbac
2017-07-28 03:20:41 -05:00
file { "/etc/zuul/github.key":
ensure => present,
owner => 'zuul',
group => 'zuul',
mode => '0600',
content => hiera('zuul_github_app_key'),
require => File['/etc/zuul'],
}
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
class { '::zuul::scheduler':
Enable SQL support for zuul v3 scheduler We need to flip a flag and be clear about python version. Change-Id: I4784b0c7256d6e1d3b8b2ed1145fcbff30ce4ac5 Depends-On: I4cad419598ffefcdca5161664c6d073da37fb42f
2017-07-27 13:55:15 -05:00
layout_dir => $::project_config::zuul_layout_dir,
require => $::project_config::config_dir,
python_version => 3,
use_mysql => true,
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
}
Run zuul-web on zuulv3.o.o We want to run the zuul-web process so that we get websocket streaming. Change-Id: I7313619e3a6c1dfb5696732792733d98b19b0783 Depends-On: Ic79681b287dbd1a44469da70c680060940734f40
2017-07-12 05:19:36 -05:00
class { '::zuul::web': }
Add finger gateway to zuulv3 Change-Id: I621a72f615b8986db8b37626f42c182c12ae24fa Depends-On: I1129be61c0a77dbd46e402204ea8c4da2889b016
2017-12-21 13:19:12 -08:00
class { '::zuul::fingergw': }
Backup zuulv3 with bup Add bup (pointing to updated server, see I7d0c96ef6f1c68d977da70c047065b10f975b4f2) for zuulv3 backup Change-Id: Ifc8a3835d838209db93df803c1aa19a114b4abc3
2017-10-30 12:41:13 +11:00
include bup
bup::site { 'rax.ord':
backup_user => 'bup-zuulv3',
backup_server => 'backup01.ord.rax.ci.openstack.org',
}
Add zuulv3.o.o server The time has come for us to create zuulv3.o.o under xenial. This will install zuul under python3 also. Change-Id: Iec3fb24c315a395fd6455d0f609830503537e5c0 Depends-On: I943e5cbcc55a09edb9431298e3f0a17e2aef5acf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-05-31 14:08:50 -07:00
}
Add a zuul01.openstack.org In preparation for replacing the zuulv3.openstack.org host with a larger instance, set up the necessary support in Puppet/Hiera/Ansible. While we're here, remove or replace old references to the since-deleted zuul.openstack.org instance, and where possible update documentation and configuration to refer to the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org FQDN so as to smooth the future transition. Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
# Node-OS: xenial
node /^zuul\d+\.openstack\.org$/ {
Set the zuul-scheduler group for zuul01 Nodes matching zuulNN.openstack.org should get the Hiera files for the zuul-scheduler group copied to them, so set the appropriate group variable in the corresponding global site manifest entry. Change-Id: Ic89208d57b26a4dc17f0fc49102cb0ee034e4069
2018-01-16 18:19:21 +00:00
$group = "zuul-scheduler"
Add a zuul01.openstack.org In preparation for replacing the zuulv3.openstack.org host with a larger instance, set up the necessary support in Puppet/Hiera/Ansible. While we're here, remove or replace old references to the since-deleted zuul.openstack.org instance, and where possible update documentation and configuration to refer to the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org FQDN so as to smooth the future transition. Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
$gerrit_server = 'review.openstack.org'
$gerrit_user = 'zuul'
$gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
$zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
$zuul_url = "http://zuul.openstack.org/p"
$git_email = 'zuul@openstack.org'
$git_name = 'OpenStack Zuul'
$revision = 'feature/zuulv3'
Break out openstack_project::server from zuul_prod.pp Change-Id: I1a38a283ed0fe06d51a57b3c43ca708978132255 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-02-07 15:05:42 -05:00
$gearman_workers = [
Add a zuul01.openstack.org In preparation for replacing the zuulv3.openstack.org host with a larger instance, set up the necessary support in Puppet/Hiera/Ansible. While we're here, remove or replace old references to the since-deleted zuul.openstack.org instance, and where possible update documentation and configuration to refer to the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org FQDN so as to smooth the future transition. Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
'ze01.openstack.org',
'ze02.openstack.org',
'ze03.openstack.org',
'ze04.openstack.org',
'ze05.openstack.org',
'ze06.openstack.org',
'ze07.openstack.org',
'ze08.openstack.org',
'ze09.openstack.org',
'ze10.openstack.org',
'zm01.openstack.org',
'zm02.openstack.org',
'zm03.openstack.org',
'zm04.openstack.org',
'zm05.openstack.org',
'zm06.openstack.org',
'zm07.openstack.org',
'zm08.openstack.org',
Break out openstack_project::server from zuul_prod.pp Change-Id: I1a38a283ed0fe06d51a57b3c43ca708978132255 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-02-07 15:05:42 -05:00
]
$iptables_rules = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
class { 'openstack_project::server':
Add a zuul01.openstack.org In preparation for replacing the zuulv3.openstack.org host with a larger instance, set up the necessary support in Puppet/Hiera/Ansible. While we're here, remove or replace old references to the since-deleted zuul.openstack.org instance, and where possible update documentation and configuration to refer to the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org FQDN so as to smooth the future transition. Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
iptables_public_tcp_ports => [79, 80, 443],
Break out openstack_project::server from zuul_prod.pp Change-Id: I1a38a283ed0fe06d51a57b3c43ca708978132255 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-02-07 15:05:42 -05:00
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
}
Add a zuul01.openstack.org In preparation for replacing the zuulv3.openstack.org host with a larger instance, set up the necessary support in Puppet/Hiera/Ansible. While we're here, remove or replace old references to the since-deleted zuul.openstack.org instance, and where possible update documentation and configuration to refer to the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org FQDN so as to smooth the future transition. Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
class { '::project_config':
url => 'https://git.openstack.org/openstack-infra/project-config',
Fix typo in puppet Change-Id: I39c29152e985aceefd1cc9032ca51081668d787d
2014-01-08 16:12:39 +08:00
}
Add a zuul01.openstack.org In preparation for replacing the zuulv3.openstack.org host with a larger instance, set up the necessary support in Puppet/Hiera/Ansible. While we're here, remove or replace old references to the since-deleted zuul.openstack.org instance, and where possible update documentation and configuration to refer to the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org FQDN so as to smooth the future transition. Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
# settings.
class { '::zuul':
gerrit_server => $gerrit_server,
gerrit_user => $gerrit_user,
zuul_ssh_private_key => $zuul_ssh_private_key,
git_email => $git_email,
git_name => $git_name,
revision => $revision,
python_version => 3,
zookeeper_hosts => 'nodepool.openstack.org:2181',
zookeeper_session_timeout => 40,
zuulv3 => true,
connections => hiera('zuul_connections', []),
connection_secrets => hiera('zuul_connection_secrets', []),
zuul_status_url => 'http://127.0.0.1:8001/openstack',
zuul_web_url => 'http://127.0.0.1:9000/openstack',
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
gearman_ssl_ca => hiera('gearman_ssl_ca'),
proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
statsd_host => 'graphite.openstack.org',
}
file { "/etc/zuul/github.key":
ensure => present,
owner => 'zuul',
group => 'zuul',
mode => '0600',
content => hiera('zuul_github_app_key'),
require => File['/etc/zuul'],
}
class { '::zuul::scheduler':
layout_dir => $::project_config::zuul_layout_dir,
require => $::project_config::config_dir,
python_version => 3,
use_mysql => true,
}
class { '::zuul::web': }
class { '::zuul::fingergw': }
include bup
bup::site { 'rax.ord':
backup_user => 'bup-zuulv3',
backup_server => 'backup01.ord.rax.ci.openstack.org',
}
Add zuul-dev.openstack.org. And connect it to the firehose. Change-Id: Id860ff329e33a588d669608e5402bdb3765001dd Reviewed-on: https://review.openstack.org/28742 Reviewed-by: Khai Do <zaro0508@gmail.com> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Approved: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2013-05-09 16:06:21 -07:00
}
feature/zuulv3 zm05.o.o to zm08.o.o Add zuul-mergers for xenial and feature/zuulv3 Change-Id: Ifd8c14c8665687f8d77e3980dba56e781eb91c95 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-10 13:57:57 -04:00
# Node-OS: xenial
Switch zm[1-4].o.o to zuulv3 The trusty based zm[1-4].o.o hosts have been removed and we are rebuilding them as Xenial for zuulv3. This switches the config for them. Change-Id: I050ce81e3f92b475c605a079e967837c42004f9c
2017-10-26 11:12:11 +11:00
node /^zm\d+.openstack\.org$/ {
feature/zuulv3 zm05.o.o to zm08.o.o Add zuul-mergers for xenial and feature/zuulv3 Change-Id: Ifd8c14c8665687f8d77e3980dba56e781eb91c95 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-10 13:57:57 -04:00
$group = "zuul-merger"
$gerrit_server = 'review.openstack.org'
$gerrit_user = 'zuul'
Fix typo with zuulv3 mergers gerrit hostkey We incorrectly created known_hosts on zuulv3 mergers. Change-Id: I1e0739679c202d024edb056fa9874849856f03b5 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-12 12:58:13 -04:00
$gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
Add zuulv3 private SSH key to zm05-zm08 servers Because this is shared with zm01-zm04, we only got the jenkins user SSH keys. So we need to also add zuul user ssh keys, but we can refactor this once zuulv2.5 is done. Change-Id: I9c9adb1943b165014de516849de79d999419069d Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-11 15:45:39 -04:00
$zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
feature/zuulv3 zm05.o.o to zm08.o.o Add zuul-mergers for xenial and feature/zuulv3 Change-Id: Ifd8c14c8665687f8d77e3980dba56e781eb91c95 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-10 13:57:57 -04:00
$zuul_url = "http://${::fqdn}/p"
$git_email = 'zuul@openstack.org'
$git_name = 'OpenStack Zuul'
$revision = 'feature/zuulv3'
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
# settings.
class { '::zuul':
gearman_server => 'zuulv3.openstack.org',
gerrit_server => $gerrit_server,
gerrit_user => $gerrit_user,
zuul_ssh_private_key => $zuul_ssh_private_key,
git_email => $git_email,
git_name => $git_name,
revision => $revision,
python_version => 3,
zookeeper_hosts => 'nodepool.openstack.org:2181',
zuulv3 => true,
connections => hiera('zuul_connections', []),
gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
gearman_ssl_ca => hiera('gearman_ssl_ca'),
Add statsd_host to zuulv3.o.o, zuul-mergers and zuul-executors If we want to send stats to graphite.o.o, we need to properly configure it. Change-Id: I7d19cec397e9f8aa83a07a887f29dc3f1e0bb8a2 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-10-15 20:40:26 -04:00
statsd_host => 'graphite.openstack.org',
feature/zuulv3 zm05.o.o to zm08.o.o Add zuul-mergers for xenial and feature/zuulv3 Change-Id: Ifd8c14c8665687f8d77e3980dba56e781eb91c95 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-09-10 13:57:57 -04:00
}
class { 'openstack_project::zuul_merger':
gerrit_server => $gerrit_server,
gerrit_user => $gerrit_user,
gerrit_ssh_host_key => $gerrit_ssh_host_key,
zuul_ssh_private_key => $zuul_ssh_private_key,
manage_common_zuul => false,
}
}
Migrate pbx.openstack.org to Ubuntu Trusty Centos6 is being deprecated so we need to move to something newer. This will require pbx.o.o to be rebuilt. Change-Id: Id3fc74bf58ba5febac79674e6fd23d6ade3e4bd1 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-12-02 16:29:44 -05:00
# Node-OS: trusty
Add a skeleton asterisk server. This commit adds a bare server that will be updated to become an Asterisk server. Change-Id: If54badab3269d8c8ce504f8bfcb0e5f79eeaeb69
2013-07-16 17:03:58 -04:00
node 'pbx.openstack.org' {
Break out openstack_project::server from pbx.o.o Change-Id: Ia49ee6c3bbf41c03041856aa55f81e7a4c1699bf Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-12-02 17:35:36 -05:00
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports => [5060],
iptables_public_udp_ports => [5060],
iptables_rules4 => ['-m udp -p udp --dport 10000:20000 -j ACCEPT'],
iptables_rules6 => ['-m udp -p udp --dport 10000:20000 -j ACCEPT'],
}
Add a skeleton asterisk server. This commit adds a bare server that will be updated to become an Asterisk server. Change-Id: If54badab3269d8c8ce504f8bfcb0e5f79eeaeb69
2013-07-16 17:03:58 -04:00
class { 'openstack_project::pbx':
Add voipms configuration Change-Id: Ib776c8944bb3b2564e52b94fdb2bd04ffc6835eb
2013-07-18 13:36:21 -07:00
sip_providers => [
{
provider => 'voipms',
hostname => 'dallas.voip.ms',
Run the puppet apply test (requires sudo) The test.sh script is not currently being run in any jobs, this change removes the redundant validation code that's also in the puppet-syntax job and creates a puppet-apply-test job that runs the test.sh script. Running `puppet apply --noop` requires sudo, otherwise it will give errors about refusing to run commands as other users. Change-Id: Ie6b278d98390a8a5dd8bb24899c8c4083f5755c9
2014-05-16 11:46:59 -04:00
username => hiera('voipms_username', 'username'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from pbx. Change-Id: Ic7c060241253cdf5216e932636b3f51fae24ea41
2015-10-16 14:32:03 -07:00
password => hiera('voipms_password'),
Add voipms configuration Change-Id: Ib776c8944bb3b2564e52b94fdb2bd04ffc6835eb
2013-07-18 13:36:21 -07:00
outgoing => false,
},
],
Add a skeleton asterisk server. This commit adds a bare server that will be updated to become an Asterisk server. Change-Id: If54badab3269d8c8ce504f8bfcb0e5f79eeaeb69
2013-07-16 17:03:58 -04:00
}
}
Add new backup host to puppet Add definition for a new backup host. We'll use ci.openstack.org to make it clear it's not general-purpose, and more mirror-like name in the form backup01.region.provider.ci.opentack.org We have decided to start with fresh backups, so this is using a fresh 3TiB LVM of cinder volumes. After removing the old server, we will attach the old volumes to this for a period in case we need it. Change-Id: I7d0c96ef6f1c68d977da70c047065b10f975b4f2
2017-10-30 10:55:09 +11:00
# Node-OS: xenial
Remove ci-backup-rs-ord.openstack.org Migrate backups to new backup01.ord.rax.ci.openstack.org We decided to start fresh backups on the new server, so this is ready to go. I have performed an initial backup on each server so it has accepted the host key of the new server and been tested (I also fixed up review-dev.o.o, which was rebuilt but keys not updated ... todo: add this to puppet, but since it changes so infrequently not high priority). Change-Id: I0872f9fcf4a334d32f632b3cb04801deefab4fd1
2017-10-30 13:03:42 +11:00
# A backup machine. Don't run cron or puppet agent on it.
Add new backup host to puppet Add definition for a new backup host. We'll use ci.openstack.org to make it clear it's not general-purpose, and more mirror-like name in the form backup01.region.provider.ci.opentack.org We have decided to start with fresh backups, so this is using a fresh 3TiB LVM of cinder volumes. After removing the old server, we will attach the old volumes to this for a period in case we need it. Change-Id: I7d0c96ef6f1c68d977da70c047065b10f975b4f2
2017-10-30 10:55:09 +11:00
node /^backup\d+\..*\.ci\.openstack\.org$/ {
$group = "ci-backup"
class { 'openstack_project::server':
iptables_public_tcp_ports => [],
manage_exim => false,
purge_apt_sources => false,
}
include openstack_project::backup_server
}
Test OpenStackId puppet with Ubuntu Trusty In preparation to upgrade the openstackid-dev.openstack.org and then openstackid.org servers to Ubuntu Trusty (14.04 LTS), add it as a platform in the manifest. Change-Id: I995f52d5c948291f089f356a14c30aaff59e72ed
2015-09-08 17:53:11 +00:00
# Node-OS: trusty
Openstackid.org openid instance Create a productive instance of openid service at openstackid.org. This domain was bought by the Foundation to avoid *.openstack.org cross-domain issues. Related tasks: - create trove database for openid service (openstackid_id_mysql* variables) - setup connection string to openstack.org profile db (openstackid_ss_mysql_* variables) - issue openstackid.org x509 certificate (openstackid_ssl* variables) - setup openstackid_redis_password and openstackid_site_admin_password hiera variables. Change-Id: Iaf198d004d0c9cad10668405b0e5b2537b791a7f
2014-09-05 14:47:47 +02:00
node 'openstackid.org' {
class { 'openstack_project::openstackid_prod':
OpenStackId: Update Email configuration This change is related to https://review.openstack.org/#/c/292605/ its sets smtp configuration and email log error capabilities to both nodes production/dev. Change-Id: Ie4ae1379451059b525a07611867dd4d3f6d6a9ac
2016-03-16 08:22:04 -03:00
sysadmins => hiera('sysadmins', []),
site_admin_password => hiera('openstackid_site_admin_password'),
id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_id_mysql_password'),
id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
id_db_name => hiera('openstackid_id_db_name'),
ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
ss_mysql_password => hiera('openstackid_ss_mysql_password'),
ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
ss_db_name => hiera('openstackid_ss_db_name', 'username'),
redis_password => hiera('openstackid_redis_password'),
ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
app_url => 'https://openstackid.org',
app_key => hiera('openstackid_app_key'),
id_log_error_to_email => 'openstack@tipit.net',
id_log_error_from_email => 'noreply@openstack.org',
email_driver => 'smtp',
email_smtp_server => 'smtp.sendgrid.net',
email_smtp_server_user => hiera('openstackid_smtp_user'),
email_smtp_server_password => hiera('openstackid_smtp_password'),
Openstackid.org openid instance Create a productive instance of openid service at openstackid.org. This domain was bought by the Foundation to avoid *.openstack.org cross-domain issues. Related tasks: - create trove database for openid service (openstackid_id_mysql* variables) - setup connection string to openstack.org profile db (openstackid_ss_mysql_* variables) - issue openstackid.org x509 certificate (openstackid_ssl* variables) - setup openstackid_redis_password and openstackid_site_admin_password hiera variables. Change-Id: Iaf198d004d0c9cad10668405b0e5b2537b791a7f
2014-09-05 14:47:47 +02:00
}
}
Test OpenStackId puppet with Ubuntu Trusty In preparation to upgrade the openstackid-dev.openstack.org and then openstackid.org servers to Ubuntu Trusty (14.04 LTS), add it as a platform in the manifest. Change-Id: I995f52d5c948291f089f356a14c30aaff59e72ed
2015-09-08 17:53:11 +00:00
# Node-OS: trusty
Review and create Puppet configuration for dev server blueprint sso-openid-provider Change-Id: I7966f59df6bd6ba851b507c7a408f076d7031abe
2013-10-24 11:18:24 -03:00
node 'openstackid-dev.openstack.org' {
Set up openstackid module Refactor the openstack_project::openstackid_dev module out into a top-level openstackid module in preparation for multiple servers, set up Apache to serve content out of /srv/openstackid, add an /etc/openstackid/database.php file with connection details injected from hiera and keep an updated clone of openstack-infra/openstackid in /opt/openstackid. Change-Id: Icdde594384e3af27c8dd185a51b9e5a71619fb7b
2013-12-20 04:59:12 +00:00
class { 'openstack_project::openstackid_dev':
OpenStackId: Update Email configuration This change is related to https://review.openstack.org/#/c/292605/ its sets smtp configuration and email log error capabilities to both nodes production/dev. Change-Id: Ie4ae1379451059b525a07611867dd4d3f6d6a9ac
2016-03-16 08:22:04 -03:00
sysadmins => hiera('sysadmins', []),
site_admin_password => hiera('openstackid_dev_site_admin_password'),
id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
redis_password => hiera('openstackid_dev_redis_password'),
ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
app_url => 'https://openstackid-dev.openstack.org',
app_key => hiera('openstackid_dev_app_key'),
id_log_error_to_email => 'openstack@tipit.net',
id_log_error_from_email => 'noreply@openstack.org',
email_driver => 'smtp',
email_smtp_server => 'smtp.sendgrid.net',
email_smtp_server_user => hiera('openstackid_dev_smtp_user'),
email_smtp_server_password => hiera('openstackid_dev_smtp_password'),
Review and create Puppet configuration for dev server blueprint sso-openid-provider Change-Id: I7966f59df6bd6ba851b507c7a408f076d7031abe
2013-10-24 11:18:24 -03:00
}
}
Add a test node for puppet-openstackci/single-node-ci Ensure changes to single-node-ci dependencies are always co-installable. Change-Id: I6638bc477a63f1da8fc70dc048691d1667e8319f
2016-11-15 17:12:46 -08:00
# Node-OS: trusty
# Used for testing all-in-one deployments
node 'single-node-ci.test.only' {
include ::openstackci::single_node_ci
}
Add Kerberos config Step one in an AFS cell is getting kerberos working. This does not provide end-to-end KDC management - the realm still needs to be created by hand. Change-Id: I891d784d676ab79e7aca9c883dd9e705a30db6e5
2014-10-18 14:56:00 -07:00
# Node-OS: trusty
node 'kdc01.openstack.org' {
Clean up openstack_project::server for kdc01 / kdc02 Move openstack_project::server into site.pp like other nodes, this was the old way of provisioning servers. Change-Id: If36ace9c377881e25d30e1f7f0184383b894ca17 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-15 11:01:06 -05:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
sysadmins => hiera('sysadmins', []),
Add Kerberos config Step one in an AFS cell is getting kerberos working. This does not provide end-to-end KDC management - the realm still needs to be created by hand. Change-Id: I891d784d676ab79e7aca9c883dd9e705a30db6e5
2014-10-18 14:56:00 -07:00
}
Clean up openstack_project::server for kdc01 / kdc02 Move openstack_project::server into site.pp like other nodes, this was the old way of provisioning servers. Change-Id: If36ace9c377881e25d30e1f7f0184383b894ca17 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-15 11:01:06 -05:00
class { 'openstack_project::kdc': }
Add Kerberos config Step one in an AFS cell is getting kerberos working. This does not provide end-to-end KDC management - the realm still needs to be created by hand. Change-Id: I891d784d676ab79e7aca9c883dd9e705a30db6e5
2014-10-18 14:56:00 -07:00
}
Add kdc04.o.o xenial node Bring online Change-Id: I52fea922914cb8b9fbc02a839ff520ddfe58e93a Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-12-15 11:38:10 -05:00
# Node-OS: xenial
node 'kdc04.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::kdc':
slave => true,
}
}
Add a cron job to release AFS volumes Every 5 minutes, check to see if the docs volumes have been updated, and if so, release them. This means we can serve the docs volumes from replicated read-only volumes with only a 5 minute delay. Since this does not coordinate with the docs publishing jobs, we may end up releasing partial updates, however, those jobs, since they use rsync, should tolerate this. Change-Id: I082ae6f37af9a6e12ad62b0cc4cb45e631a0935b
2016-11-22 09:31:05 -08:00
# Node-OS: trusty
Fix syntax error in afsdb01 site defn Change-Id: I33cdaed6363ebb73ee00cd1403363df75d09d54b
2017-01-06 15:18:02 -08:00
node 'afsdb01.openstack.org' {
Add a cron job to release AFS volumes Every 5 minutes, check to see if the docs volumes have been updated, and if so, release them. This means we can serve the docs volumes from replicated read-only volumes with only a 5 minute delay. Since this does not coordinate with the docs publishing jobs, we may end up releasing partial updates, however, those jobs, since they use rsync, should tolerate this. Change-Id: I082ae6f37af9a6e12ad62b0cc4cb45e631a0935b
2016-11-22 09:31:05 -08:00
$group = "afsdb"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true,
manage_exim => true,
}
include openstack_project::afsdb
include openstack_project::afsrelease
}
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41
2014-10-18 16:22:52 -07:00
# Node-OS: trusty
node /^afsdb.*\.openstack\.org$/ {
Set $group at node scope for hiera lookups In order to support ansible copying split-out hiera files from the master to the nodes, we need to support group files in addition to just fqdn and common files. Change-Id: I0732cc8521bc5f6588f5de286f874a69ef45ab14
2015-03-16 12:47:42 -07:00
$group = "afsdb"
Pull o_p::server invocation out of afs roles Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Story: 2000172 Change-Id: Id680dfe2e7925f138d6c34ec838f30268946836f
2015-04-07 13:55:42 -07:00
AFS servers use server class instead of template The openstack_project::server class declares things we want to be true of our long-lived servers, so use it instead of openstack_project::template (which it then indirectly uses). Change-Id: Ie4bc41ec0b333ad9151e5df458e2762835672e6c
2016-01-20 00:13:50 +00:00
class { 'openstack_project::server':
Pull o_p::server invocation out of afs roles Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Story: 2000172 Change-Id: Id680dfe2e7925f138d6c34ec838f30268946836f
2015-04-07 13:55:42 -07:00
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true,
Move afs servers to using o_p::template This is part of a multi-stage process to merge o_p::server and o_p::template. Change-Id: I3bd3242a26fe701741a7784ae4e10e4183be17cf
2015-05-06 15:43:27 -07:00
manage_exim => true,
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41
2014-10-18 16:22:52 -07:00
}
Pull o_p::server invocation out of afs roles Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Story: 2000172 Change-Id: Id680dfe2e7925f138d6c34ec838f30268946836f
2015-04-07 13:55:42 -07:00
include openstack_project::afsdb
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41
2014-10-18 16:22:52 -07:00
}
# Node-OS: trusty
node /^afs.*\..*\.openstack\.org$/ {
Set $group at node scope for hiera lookups In order to support ansible copying split-out hiera files from the master to the nodes, we need to support group files in addition to just fqdn and common files. Change-Id: I0732cc8521bc5f6588f5de286f874a69ef45ab14
2015-03-16 12:47:42 -07:00
$group = "afs"
Pull o_p::server invocation out of afs roles Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Story: 2000172 Change-Id: Id680dfe2e7925f138d6c34ec838f30268946836f
2015-04-07 13:55:42 -07:00
AFS servers use server class instead of template The openstack_project::server class declares things we want to be true of our long-lived servers, so use it instead of openstack_project::template (which it then indirectly uses). Change-Id: Ie4bc41ec0b333ad9151e5df458e2762835672e6c
2016-01-20 00:13:50 +00:00
class { 'openstack_project::server':
Pull o_p::server invocation out of afs roles Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Story: 2000172 Change-Id: Id680dfe2e7925f138d6c34ec838f30268946836f
2015-04-07 13:55:42 -07:00
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true,
Move afs servers to using o_p::template This is part of a multi-stage process to merge o_p::server and o_p::template. Change-Id: I3bd3242a26fe701741a7784ae4e10e4183be17cf
2015-05-06 15:43:27 -07:00
manage_exim => true,
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41
2014-10-18 16:22:52 -07:00
}
Pull o_p::server invocation out of afs roles Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Story: 2000172 Change-Id: Id680dfe2e7925f138d6c34ec838f30268946836f
2015-04-07 13:55:42 -07:00
include openstack_project::afsfs
Add AFS I don't really think this needs any further explanation. Change-Id: I41378bd320c6c6fad2c981d5cc773486af075c41
2014-10-18 16:22:52 -07:00
}
Switch ask.openstack.org to Ubuntu Trusty As part of the ask.openstack.org upgrade, it must be migrated to Ubuntu Trusty. The askbot puppet module no longer properly supports Precise and is not being applied on the old ask production server in preparation for this migration. Go ahead and start testing for the correct platform now. Change-Id: I50a991ec9343fae1329601036776bcee7a7a62aa
2015-08-05 15:56:08 +00:00
# Node-OS: trusty
Initial commit of Ask website Add ask.openstack.org to openstack-infra. Setup an all-in-one askbot site based on existing deployment, including apache, redis,apache solr,postgresql. See askbot.rst for further details. Refactored to depend on vamsee's puppet solr module. Depends-On: Iffe07d3a34087cb15151787bc683208425a27594 Change-Id: I36504eac7b953c3cce3e21a3559ac95b1bc12da7
2014-12-08 16:58:38 +01:00
node 'ask.openstack.org' {
Move the server class settings out of the ask class Story: 2000172 Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/server_base_template_refactor.html Change-Id: I5e3c076c98cee4605f90f8dab473039221cc1c50
2015-05-15 16:53:38 -04:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
Initial commit of Ask website Add ask.openstack.org to openstack-infra. Setup an all-in-one askbot site based on existing deployment, including apache, redis,apache solr,postgresql. See askbot.rst for further details. Refactored to depend on vamsee's puppet solr module. Depends-On: Iffe07d3a34087cb15151787bc683208425a27594 Change-Id: I36504eac7b953c3cce3e21a3559ac95b1bc12da7
2014-12-08 16:58:38 +01:00
class { 'openstack_project::ask':
db_user => hiera('ask_db_user', 'ask'),
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from ask. Change-Id: I8da8c2ef9c98b358ad76a15f1d939cf491c64471
2015-10-16 14:36:04 -07:00
db_password => hiera('ask_db_password'),
redis_password => hiera('ask_redis_password'),
Initial commit of Ask website Add ask.openstack.org to openstack-infra. Setup an all-in-one askbot site based on existing deployment, including apache, redis,apache solr,postgresql. See askbot.rst for further details. Refactored to depend on vamsee's puppet solr module. Depends-On: Iffe07d3a34087cb15151787bc683208425a27594 Change-Id: I36504eac7b953c3cce3e21a3559ac95b1bc12da7
2014-12-08 16:58:38 +01:00
site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
}
}
Initial commit of ask-staging.o.o site This patch provides the ask-staging.o.o instance and required service dependencies like pgsql database and solr service. The ask-staging.o.o is used to test the development patches of the production ask.o.o, and part of the ask.o.o quality assurance process of a release. New hiera variables: - ask_staging_db_password: staging database password - ask_staging_redis_password: redis password Depends-On: I560c24c3b09e4a8d09b23afa619a4cf361601cbe Depends-On: Id0c414dbac24056aad2a619b09327855f52ec3a9 Change-Id: I605102358a6cb05b1fbdb2564d578e89de253413
2015-04-13 13:07:23 +02:00
# Node-OS: trusty
node 'ask-staging.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::ask_staging':
Remove placeholder hiera defaults Now that the apply tests no longer require default values for all hiera calls, remove the placeholder 'XXX' default values from ask. Change-Id: I8da8c2ef9c98b358ad76a15f1d939cf491c64471
2015-10-16 14:36:04 -07:00
db_password => hiera('ask_staging_db_password'),
redis_password => hiera('ask_staging_redis_password'),
Initial commit of ask-staging.o.o site This patch provides the ask-staging.o.o instance and required service dependencies like pgsql database and solr service. The ask-staging.o.o is used to test the development patches of the production ask.o.o, and part of the ask.o.o quality assurance process of a release. New hiera variables: - ask_staging_db_password: staging database password - ask_staging_redis_password: redis password Depends-On: I560c24c3b09e4a8d09b23afa619a4cf361601cbe Depends-On: Id0c414dbac24056aad2a619b09327855f52ec3a9 Change-Id: I605102358a6cb05b1fbdb2564d578e89de253413
2015-04-13 13:07:23 +02:00
}
}
Add puppetry for translate01 xenialing This is part of the Zanata upgrade process. We will be deploying new Zanata to translate01.openstack.org so add node def in site.pp to support that. This keeps the old translate.o.o def too so that it is left alone untouched. Note that this also adds code to pass through wildlfy's install URL and fixes the specification of the wildfly version number. I think the version number var being wrong was not a problem for us because the wildfly installation only runs if there is no installation dir in place. Change-Id: I4b6ababcc34e2464cf6a824e92a1c146d553dcaf
2017-02-27 09:09:48 -08:00
# Node-OS: trusty
# Node-OS: xenial
node /^translate\d+\.openstack\.org$/ {
Add translate ansible group This was missed as part of the earlier translate upgrade change. With switch to digitized host names we also want to group those hosts together in hiera and ansible. Make that change here. Change-Id: I6d25b35efbf0b43bd63a8ff9e217b68663575c75
2017-02-27 11:03:27 -08:00
$group = "translate"
Add puppetry for translate01 xenialing This is part of the Zanata upgrade process. We will be deploying new Zanata to translate01.openstack.org so add node def in site.pp to support that. This keeps the old translate.o.o def too so that it is left alone untouched. Note that this also adds code to pass through wildlfy's install URL and fixes the specification of the wildfly version number. I think the version number var being wrong was not a problem for us because the wildfly installation only runs if there is no installation dir in place. Change-Id: I4b6ababcc34e2464cf6a824e92a1c146d553dcaf
2017-02-27 09:09:48 -08:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::translate':
Refresh Zanata admin user list This users are "static" configured in Wildfly to have admin privileges on startup time and without configuration in Zanata database. This is required for maintenance and prevents mistakes if admin accounts are removed in Zanata database. * remove former members from infra and i18n team * review selected infra-cores * ensure infra account for Zuul jobs is present * add ianychoi and eumel8 (myself) from i18n-core team Change-Id: I1deb6ac3080761a474f7030ddfab46e48c0ad48d
2017-12-04 05:52:39 +01:00
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
Add puppetry for translate01 xenialing This is part of the Zanata upgrade process. We will be deploying new Zanata to translate01.openstack.org so add node def in site.pp to support that. This keeps the old translate.o.o def too so that it is left alone untouched. Note that this also adds code to pass through wildlfy's install URL and fixes the specification of the wildfly version number. I think the version number var being wrong was not a problem for us because the wildfly installation only runs if there is no installation dir in place. Change-Id: I4b6ababcc34e2464cf6a824e92a1c146d553dcaf
2017-02-27 09:09:48 -08:00
openid_url => 'https://openstackid.org',
listeners => ['ajp'],
from_address => 'noreply@openstack.org',
Update db creds for translate01.o.o This should only be done as part of the service cut over from old translate.o.o server to new translate01.o.o server. Change-Id: I6716b94cbd639b2bd4d1c9d73a3e19626d9b2da0
2017-02-27 15:35:07 -08:00
mysql_host => hiera('translate_mysql_host', 'localhost'),
mysql_password => hiera('translate_mysql_password'),
Add puppetry for translate01 xenialing This is part of the Zanata upgrade process. We will be deploying new Zanata to translate01.openstack.org so add node def in site.pp to support that. This keeps the old translate.o.o def too so that it is left alone untouched. Note that this also adds code to pass through wildlfy's install URL and fixes the specification of the wildfly version number. I think the version number var being wrong was not a problem for us because the wildfly installation only runs if there is no installation dir in place. Change-Id: I4b6ababcc34e2464cf6a824e92a1c146d553dcaf
2017-02-27 09:09:48 -08:00
zanata_server_user => hiera('proposal_zanata_user'),
zanata_server_api_key => hiera('proposal_zanata_api_key'),
zanata_wildfly_version => '10.1.0',
zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
zanata_url => 'https://github.com/zanata/zanata-server/releases/download/server-3.9.6/zanata-3.9.6-wildfly.zip',
zanata_checksum => 'cb7a477f46a118a337b59b9f4004ef7e6c77a1a8',
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
Set vhost name on translate\d+ properly These hosts will have hostnames like translate01.openstack.org but will serve content for transate.openstack.org so we have to set the apache vhost name properly. Change-Id: Ia3e08272cd0ca566b02dab8f425a9cf6814dd233
2017-02-27 11:05:10 -08:00
vhost_name => 'translate.openstack.org',
Add puppetry for translate01 xenialing This is part of the Zanata upgrade process. We will be deploying new Zanata to translate01.openstack.org so add node def in site.pp to support that. This keeps the old translate.o.o def too so that it is left alone untouched. Note that this also adds code to pass through wildlfy's install URL and fixes the specification of the wildfly version number. I think the version number var being wrong was not a problem for us because the wildfly installation only runs if there is no installation dir in place. Change-Id: I4b6ababcc34e2464cf6a824e92a1c146d553dcaf
2017-02-27 09:09:48 -08:00
}
}
Add infra setup for zanata Add an entry in site.pp and a module for translate-dev so we can deploy an initial test server. Change-Id: I64334620665718f430ddba8dfd304a476365ce5e
2015-03-30 12:13:59 -07:00
# Node-OS: trusty
Allow for many translate-dev servers As part of the work to redeploy Zanata on Xenial for newer Java lets modernize the deployment a bit and allow for arbitrary numbered servers. Change-Id: Iee1192fc4e4798ccbeb9bad98a53fb3896d02a5c
2016-11-18 14:35:38 -08:00
# Node-OS: xenial
node /^translate-dev\d*\.openstack\.org$/ {
$group = "translate-dev"
Add infra setup for zanata Add an entry in site.pp and a module for translate-dev so we can deploy an initial test server. Change-Id: I64334620665718f430ddba8dfd304a476365ce5e
2015-03-30 12:13:59 -07:00
class { 'openstack_project::translate_dev':
Allow for many translate-dev servers As part of the work to redeploy Zanata on Xenial for newer Java lets modernize the deployment a bit and allow for arbitrary numbered servers. Change-Id: Iee1192fc4e4798ccbeb9bad98a53fb3896d02a5c
2016-11-18 14:35:38 -08:00
sysadmins => hiera('sysadmins', []),
Refresh Zanata admin user list This users are "static" configured in Wildfly to have admin privileges on startup time and without configuration in Zanata database. This is required for maintenance and prevents mistakes if admin accounts are removed in Zanata database. * remove former members from infra and i18n team * review selected infra-cores * ensure infra account for Zuul jobs is present * add ianychoi and eumel8 (myself) from i18n-core team Change-Id: I1deb6ac3080761a474f7030ddfab46e48c0ad48d
2017-12-04 05:52:39 +01:00
admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
Switch to openstackid-dev for translate-dev Switch to dev version so that upgrades of openstackid can get tested Change-Id: Ic0e1cb6116bb9b9143e1dae3e1eb7aa1f30c5808
2017-01-12 22:03:58 +00:00
openid_url => 'https://openstackid-dev.openstack.org',
Allow for many translate-dev servers As part of the work to redeploy Zanata on Xenial for newer Java lets modernize the deployment a bit and allow for arbitrary numbered servers. Change-Id: Iee1192fc4e4798ccbeb9bad98a53fb3896d02a5c
2016-11-18 14:35:38 -08:00
listeners => ['ajp'],
from_address => 'noreply@openstack.org',
mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
mysql_password => hiera('translate_dev_mysql_password'),
zanata_server_user => hiera('proposal_zanata_user'),
zanata_server_api_key => hiera('proposal_zanata_api_key'),
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
vhost_name => 'translate-dev.openstack.org',
Add infra setup for zanata Add an entry in site.pp and a module for translate-dev so we can deploy an initial test server. Change-Id: I64334620665718f430ddba8dfd304a476365ce5e
2015-03-30 12:13:59 -07:00
}
}
Create apps-dev.openstack.org for testing community app-catalog For testsing new App-Catalog, based on Glare v1 API we need a temporary web-site, where users will be able to work with it, do some operations and provede bug reports. When this testing site is considered stable, it will replace original apps.openstack.org Depends-On: I9fbe756cfcc2456587c0395e88f14681a1e43ee4 Change-Id: I41e3b11f5823c1445d15770a40741c96be3e2e78
2016-10-06 16:58:56 +03:00
Add odsreg server Change-Id: I887724a51be070b1ddb1f26cf987201c68979429 Depends-On: I380308eb96024792f416c1bf0bf0062bf143b923
2015-09-15 16:40:52 -07:00
# Node-OS: trusty
node 'odsreg.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
realize (
User::Virtual::Localuser['ttx'],
)
class { '::odsreg':
}
}
Add codesearch.o.o node and module puppet-hound is in working order. This adds puppet-hound to INTEGRATION_MODULES, creates a new codesearch.o.o node, and installs hound on it. Depends-On: Ie4b6509947f58407c4cc6f5a2c7c2bc84c619ce9 Change-Id: I238b05e8b25229d7dcf840441cd9d3af09f3e249
2015-08-24 23:23:06 -07:00
# Node-OS: trusty
xenial update for codesearch.o.o Change-Id: I7859eb26168e5ee11ab2290e55409ff6b86aceab
2017-12-15 10:03:50 +11:00
# Node-OS: xenial
node /^codesearch\d*\.openstack\.org$/ {
$group = "codesearch"
Add codesearch.o.o node and module puppet-hound is in working order. This adds puppet-hound to INTEGRATION_MODULES, creates a new codesearch.o.o node, and installs hound on it. Depends-On: Ie4b6509947f58407c4cc6f5a2c7c2bc84c619ce9 Change-Id: I238b05e8b25229d7dcf840441cd9d3af09f3e249
2015-08-24 23:23:06 -07:00
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::codesearch':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
}
}
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
# Node-OS: trusty
Change hpuswest for vanilla on controller and compute node definitions The naming changed from hpuswest to vanilla, we need to change this to get Puppet working. Change-Id: I074ddc9cf5ebf97f628f6afb553f5837729153b9
2016-08-23 09:14:25 +02:00
node 'controller00.vanilla.ic.openstack.org' {
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
$group = 'infracloud'
class { '::openstack_project::server':
Allow TCP/80 on controllers We need to open the firewall to allow access of our log files. Change-Id: Ifb8469c737766bd7f1b147f733444c2185bfa47f Depends-On: I569b4fc58bae8aba4d3451f9eb544304cef89e5d Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-02-26 11:58:22 -05:00
iptables_public_tcp_ports => [80,5000,5671,8774,9292,9696,35357], # logs,keystone,rabbit,nova,glance,neutron,keystone
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
sysadmins => hiera('sysadmins', []),
enable_unbound => false,
Don't purge apt sources on infracloud Without this change, puppetting an infracloud machine from scratch results in an error[1]. The order of events that causes this issue is: 1) Puppet purges /etc/apt/sources.list, removing all of apt's knowledge of other sources 2) Puppet creates /etc/apt/sources.list.d/openstack-infra.list, but this will have no effect on apt's knowledge of other sources until an apt-get update is run 3) The puppet-openstack_extras module runs an exec to install the ubuntu-cloud-keyring package. (This is done with an exec type rather than a package type because it needs to be run before Exec['apt_update'] which is defined in the puppetlabs-apt module.) Since apt at this point knows of no apt sources in the world, it fails to find the package. 4) Apt-get update is run and the world is right again, so subsequent puppet runs or manual installs of ubuntu-cloud-keyring are confusingly successful. A potential fix for this is to create another exec resource that runs apt-get update after adding openstack-infra.list but before installing ubuntu-cloud-keyring, after which apt-get update will run once again. This is inefficient and ugly. Since on these particular nodes we control the base images, and the default apt sources list is sane and matches what we have set in openstack-infra.list anyway, we can just disable the purging of the original sources.list and there will no longer be any point during which apt has no sources. [1] http://paste.openstack.org/show/488079/ Change-Id: I2cb375979d55e612fe8acc4cc7abdd393f39c2b9
2016-02-24 10:50:08 -08:00
purge_apt_sources => false,
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
}
class { '::openstack_project::infracloud::controller':
Send keystone_rabbit_password parameter We cannot use default guest/guest as it has been disabled on our rabbit. So we need to generate a pass in hiera for that, and pass it properly to the manifest. Change-Id: I407119383b232f07888dc9821771f1ece383a431 Depends-On: I9582d68ca93f2f7b5742523e273ebf6b5a9c0c13
2016-02-10 17:13:38 +01:00
keystone_rabbit_password => hiera('keystone_rabbit_password'),
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
neutron_rabbit_password => hiera('neutron_rabbit_password'),
nova_rabbit_password => hiera('nova_rabbit_password'),
root_mysql_password => hiera('infracloud_mysql_password'),
keystone_mysql_password => hiera('keystone_mysql_password'),
glance_mysql_password => hiera('glance_mysql_password'),
neutron_mysql_password => hiera('neutron_mysql_password'),
nova_mysql_password => hiera('nova_mysql_password'),
keystone_admin_password => hiera('keystone_admin_password'),
glance_admin_password => hiera('glance_admin_password'),
neutron_admin_password => hiera('neutron_admin_password'),
nova_admin_password => hiera('nova_admin_password'),
keystone_admin_token => hiera('keystone_admin_token'),
Update InfraCloud SSL configuration Update the system-config manifest to support the simplifying changes made in the puppet-infracloud module. This patch will require updates to hiera. We need keys hpuswest_ssl_cert_file_contents and ssl_key_file_contents added, and hpuswest_ssl_cert_file_contents must be in the 'infracloud' hiera group since it is shared to the compute nodes. Change-Id: I39c70b1077e8b467e0a7e123a694d037ffc77f7a Depends-On: Ibeea608e965e58c496a95b2f02a4bf6b13e15f0e
2016-02-11 20:15:07 -08:00
ssl_key_file_contents => hiera('ssl_key_file_contents'),
Replace hpuswest naming for vanilla on hiera keys Change-Id: Ia2f0164b2c28a03281f50a8ec680c48e51c051f0
2016-08-23 12:36:18 +02:00
ssl_cert_file_contents => hiera('infracloud_vanilla_ssl_cert_file_contents'),
Start using br_infracloud as bridge name Change-Id: I9a2bb48dbec64c0f4f1d9442129a08561c387819 Depends-On: I0790bab2fd63f525e8b9c8d47ee79ea63a72750a
2016-09-12 12:35:42 +02:00
br_name => hiera('bridge_name'),
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
controller_public_address => $::fqdn,
Correct vanilla Neutron ranges The new IP range for vanilla is 15.184.64.0/19, amending so Neutron can allocate IPs. Change-Id: Ide942bacec5ee78f33e99fbbf1f057415bb320ad
2016-08-23 11:08:53 +02:00
neutron_subnet_cidr => '15.184.64.0/19',
neutron_subnet_gateway => '15.184.64.1',
Send the network parameters to infracloud controller Also send the default values for west, to be sure that settings are properly applied. Change-Id: Ie332bf2b9970be02311bf76888c28d25249abf61
2016-02-24 23:52:38 +01:00
neutron_subnet_allocation_pools => [
Correct vanilla Neutron ranges The new IP range for vanilla is 15.184.64.0/19, amending so Neutron can allocate IPs. Change-Id: Ide942bacec5ee78f33e99fbbf1f057415bb320ad
2016-08-23 11:08:53 +02:00
'start=15.184.65.2,end=15.184.65.254',
'start=15.184.66.2,end=15.184.66.254',
'start=15.184.67.2,end=15.184.67.254'
Pick infracloud mysql connections value from hiera It needs to be tuned depending on number of cpus and memory of the server. Change-Id: Id00d32c1bc225db16fa45d990ff8227db4f68ff0 Depends-On: Id5a0e5af031175cc0a9d8b5a3bb97ae4adfbdf1e
2016-10-17 10:15:06 +02:00
],
mysql_max_connections => hiera('mysql_max_connections'),
Add Infra Cloud controller node Add a node definition for controller nodes in the hpuswest region. Change-Id: I55666098335f26d24f0351cc6f3259fa055eb65b
2015-08-05 16:06:43 -07:00
}
}
Change hpuswest for vanilla on controller and compute node definitions The naming changed from hpuswest to vanilla, we need to change this to get Puppet working. Change-Id: I074ddc9cf5ebf97f628f6afb553f5837729153b9
2016-08-23 09:14:25 +02:00
node /^compute\d{3}\.vanilla\.ic\.openstack\.org$/ {
Add Infra Cloud compute node definition Add definition for compute nodes in the hpuswest region. Change-Id: I9bce2a37d427558ba7a59fc6bc9edfd62edeac45
2015-10-06 16:00:18 -07:00
$group = 'infracloud'
class { '::openstack_project::server':
sysadmins => hiera('sysadmins', []),
enable_unbound => false,
Don't purge apt sources on infracloud Without this change, puppetting an infracloud machine from scratch results in an error[1]. The order of events that causes this issue is: 1) Puppet purges /etc/apt/sources.list, removing all of apt's knowledge of other sources 2) Puppet creates /etc/apt/sources.list.d/openstack-infra.list, but this will have no effect on apt's knowledge of other sources until an apt-get update is run 3) The puppet-openstack_extras module runs an exec to install the ubuntu-cloud-keyring package. (This is done with an exec type rather than a package type because it needs to be run before Exec['apt_update'] which is defined in the puppetlabs-apt module.) Since apt at this point knows of no apt sources in the world, it fails to find the package. 4) Apt-get update is run and the world is right again, so subsequent puppet runs or manual installs of ubuntu-cloud-keyring are confusingly successful. A potential fix for this is to create another exec resource that runs apt-get update after adding openstack-infra.list but before installing ubuntu-cloud-keyring, after which apt-get update will run once again. This is inefficient and ugly. Since on these particular nodes we control the base images, and the default apt sources list is sane and matches what we have set in openstack-infra.list anyway, we can just disable the purging of the original sources.list and there will no longer be any point during which apt has no sources. [1] http://paste.openstack.org/show/488079/ Change-Id: I2cb375979d55e612fe8acc4cc7abdd393f39c2b9
2016-02-24 10:50:08 -08:00
purge_apt_sources => false,
Add Infra Cloud compute node definition Add definition for compute nodes in the hpuswest region. Change-Id: I9bce2a37d427558ba7a59fc6bc9edfd62edeac45
2015-10-06 16:00:18 -07:00
}
class { '::openstack_project::infracloud::compute':
nova_rabbit_password => hiera('nova_rabbit_password'),
neutron_rabbit_password => hiera('neutron_rabbit_password'),
neutron_admin_password => hiera('neutron_admin_password'),
Add ssl_key_file_contents to compute nodes It needed to be added, because vms were not booting with an error on that key being absent. Change-Id: I26e7f6a4b8226787bf76f9fdb8a2b2ccc8f2cbda
2016-08-23 15:49:39 +02:00
ssl_key_file_contents => hiera('ssl_key_file_contents'),
Replace hpuswest naming for vanilla on hiera keys Change-Id: Ia2f0164b2c28a03281f50a8ec680c48e51c051f0
2016-08-23 12:36:18 +02:00
ssl_cert_file_contents => hiera('infracloud_vanilla_ssl_cert_file_contents'),
Start using br_infracloud as bridge name Change-Id: I9a2bb48dbec64c0f4f1d9442129a08561c387819 Depends-On: I0790bab2fd63f525e8b9c8d47ee79ea63a72750a
2016-09-12 12:35:42 +02:00
br_name => hiera('bridge_name'),
Change hpuswest for vanilla on controller and compute node definitions The naming changed from hpuswest to vanilla, we need to change this to get Puppet working. Change-Id: I074ddc9cf5ebf97f628f6afb553f5837729153b9
2016-08-23 09:14:25 +02:00
controller_public_address => 'controller00.vanilla.ic.openstack.org',
Add Infra Cloud compute node definition Add definition for compute nodes in the hpuswest region. Change-Id: I9bce2a37d427558ba7a59fc6bc9edfd62edeac45
2015-10-06 16:00:18 -07:00
}
}
Add controller00.chocolate to site.pp I will land this when we have proper hiera stuff on puppetmaster. Change-Id: I3fd2fe7b7bc03f1331d2d89df34240f14095537b
2016-09-13 13:08:13 +02:00
# Node-OS: trusty
node 'controller00.chocolate.ic.openstack.org' {
$group = 'infracloud'
class { '::openstack_project::server':
iptables_public_tcp_ports => [80,5000,5671,8774,9292,9696,35357], # logs,keystone,rabbit,nova,glance,neutron,keystone
sysadmins => hiera('sysadmins', []),
enable_unbound => false,
purge_apt_sources => false,
}
class { '::openstack_project::infracloud::controller':
keystone_rabbit_password => hiera('keystone_rabbit_password'),
neutron_rabbit_password => hiera('neutron_rabbit_password'),
nova_rabbit_password => hiera('nova_rabbit_password'),
root_mysql_password => hiera('infracloud_mysql_password'),
keystone_mysql_password => hiera('keystone_mysql_password'),
glance_mysql_password => hiera('glance_mysql_password'),
neutron_mysql_password => hiera('neutron_mysql_password'),
nova_mysql_password => hiera('nova_mysql_password'),
keystone_admin_password => hiera('keystone_admin_password'),
glance_admin_password => hiera('glance_admin_password'),
neutron_admin_password => hiera('neutron_admin_password'),
nova_admin_password => hiera('nova_admin_password'),
keystone_admin_token => hiera('keystone_admin_token'),
ssl_key_file_contents => hiera('infracloud_chocolate_ssl_key_file_contents'),
ssl_cert_file_contents => hiera('infracloud_chocolate_ssl_cert_file_contents'),
br_name => 'br-vlan2551',
controller_public_address => $::fqdn,
neutron_subnet_cidr => '15.184.64.0/19',
neutron_subnet_gateway => '15.184.64.1',
neutron_subnet_allocation_pools => [
'start=15.184.68.2,end=15.184.68.254',
'start=15.184.69.2,end=15.184.69.254',
'start=15.184.70.2,end=15.184.70.254'
]
}
}
Add compute node block for chocolate region I will land this when we have proper hiera keys for everything. Change-Id: I8deb31ed69e9d8d7a04d24ccfdeeb7ac5e497eb3
2016-09-13 13:20:27 +02:00
node /^compute\d{3}\.chocolate\.ic\.openstack\.org$/ {
$group = 'infracloud'
class { '::openstack_project::server':
sysadmins => hiera('sysadmins', []),
enable_unbound => false,
purge_apt_sources => false,
}
class { '::openstack_project::infracloud::compute':
nova_rabbit_password => hiera('nova_rabbit_password'),
neutron_rabbit_password => hiera('neutron_rabbit_password'),
neutron_admin_password => hiera('neutron_admin_password'),
ssl_key_file_contents => hiera('infracloud_chocolate_ssl_key_file_contents'),
ssl_cert_file_contents => hiera('infracloud_chocolate_ssl_cert_file_contents'),
br_name => 'br-vlan2551',
controller_public_address => 'controller00.chocolate.ic.openstack.org',
}
}
Add baremetal hpuswest node definition Add definition for baremetal nodes for hpuswest, plus a script to one-time enroll and deploy nodes in bifrost. Co-Authored-By: Clint Byrum <clint@fewbar.com> Co-Authored-By: greghaynes <greg@greghaynes.net> Co-Authored-By: Yolanda Robla <info@ysoft.biz> Depends-On: I949344c16cf9ee3965b0bc96850eb208ac65b168 Change-Id: I947add7e8e8aa88fe6e881d77fd3278910b3b903
2015-08-05 11:04:13 -07:00
# Node-OS: trusty
# Upgrade-Modules
Bring baremetal00.vanilla.ic.openstack.org online Now that we have access again to baremetal00.vanilla.ic.openstack.org we can enroll it again into puppet. Change-Id: Id15c8694fe5e23896dd5778997d12dd13169183e Depends-On: I9dfdd617fba45c0947bd3d4e853d85b83923018b Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-06-08 16:09:08 -04:00
node /^baremetal\d{2}\.vanilla\.ic\.openstack\.org$/ {
Add baremetal hpuswest node definition Add definition for baremetal nodes for hpuswest, plus a script to one-time enroll and deploy nodes in bifrost. Co-Authored-By: Clint Byrum <clint@fewbar.com> Co-Authored-By: greghaynes <greg@greghaynes.net> Co-Authored-By: Yolanda Robla <info@ysoft.biz> Depends-On: I949344c16cf9ee3965b0bc96850eb208ac65b168 Change-Id: I947add7e8e8aa88fe6e881d77fd3278910b3b903
2015-08-05 11:04:13 -07:00
$group = 'infracloud'
class { '::openstack_project::server':
iptables_public_udp_ports => [67,69],
sysadmins => hiera('sysadmins', []),
enable_unbound => false,
Don't purge apt sources on infracloud Without this change, puppetting an infracloud machine from scratch results in an error[1]. The order of events that causes this issue is: 1) Puppet purges /etc/apt/sources.list, removing all of apt's knowledge of other sources 2) Puppet creates /etc/apt/sources.list.d/openstack-infra.list, but this will have no effect on apt's knowledge of other sources until an apt-get update is run 3) The puppet-openstack_extras module runs an exec to install the ubuntu-cloud-keyring package. (This is done with an exec type rather than a package type because it needs to be run before Exec['apt_update'] which is defined in the puppetlabs-apt module.) Since apt at this point knows of no apt sources in the world, it fails to find the package. 4) Apt-get update is run and the world is right again, so subsequent puppet runs or manual installs of ubuntu-cloud-keyring are confusingly successful. A potential fix for this is to create another exec resource that runs apt-get update after adding openstack-infra.list but before installing ubuntu-cloud-keyring, after which apt-get update will run once again. This is inefficient and ugly. Since on these particular nodes we control the base images, and the default apt sources list is sane and matches what we have set in openstack-infra.list anyway, we can just disable the purging of the original sources.list and there will no longer be any point during which apt has no sources. [1] http://paste.openstack.org/show/488079/ Change-Id: I2cb375979d55e612fe8acc4cc7abdd393f39c2b9
2016-02-24 10:50:08 -08:00
purge_apt_sources => false,
Add baremetal hpuswest node definition Add definition for baremetal nodes for hpuswest, plus a script to one-time enroll and deploy nodes in bifrost. Co-Authored-By: Clint Byrum <clint@fewbar.com> Co-Authored-By: greghaynes <greg@greghaynes.net> Co-Authored-By: Yolanda Robla <info@ysoft.biz> Depends-On: I949344c16cf9ee3965b0bc96850eb208ac65b168 Change-Id: I947add7e8e8aa88fe6e881d77fd3278910b3b903
2015-08-05 11:04:13 -07:00
}
class { '::openstack_project::infracloud::baremetal':
Add network config for puppet-infracloud on hiera Stop hardcoding the network settings on the modules and instead of that, use parameters and rely on public hiera. Change-Id: I3cccfc03609bf90503b3fe27d3e717f89f6ec654
2016-09-16 17:00:33 +02:00
ironic_inventory => hiera('ironic_inventory', {}),
ironic_db_password => hiera('ironic_db_password'),
mysql_password => hiera('bifrost_mysql_password'),
ipmi_passwords => hiera('ipmi_passwords'),
ssh_private_key => hiera('bifrost_vanilla_ssh_private_key'),
ssh_public_key => hiera('bifrost_vanilla_ssh_public_key'),
bridge_name => hiera('bridge_name'),
vlan => hiera('vlan'),
gateway_ip => hiera('gateway_ip'),
default_network_interface => hiera('default_network_interface'),
dhcp_pool_start => hiera('dhcp_pool_start'),
dhcp_pool_end => hiera('dhcp_pool_end'),
network_interface => hiera('network_interface'),
ipv4_nameserver => hiera('ipv4_nameserver'),
ipv4_subnet_mask => hiera('ipv4_subnet_mask'),
Add baremetal hpuswest node definition Add definition for baremetal nodes for hpuswest, plus a script to one-time enroll and deploy nodes in bifrost. Co-Authored-By: Clint Byrum <clint@fewbar.com> Co-Authored-By: greghaynes <greg@greghaynes.net> Co-Authored-By: Yolanda Robla <info@ysoft.biz> Depends-On: I949344c16cf9ee3965b0bc96850eb208ac65b168 Change-Id: I947add7e8e8aa88fe6e881d77fd3278910b3b903
2015-08-05 11:04:13 -07:00
}
}
Style guide updates for manifest directory Change-Id: I40d54189eb6d5cd4512080ec5010fe339bac96e0 Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com> Reviewed-on: https://review.openstack.org/13830 Reviewed-by: James E. Blair <corvus@inaugust.com> Approved: Monty Taylor <mordred@inaugust.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Tested-by: Jenkins
2012-09-28 10:05:02 -04:00
# vim:sw=2:ts=2:expandtab:textwidth=79
Copy Permalink