From 6e27eede4a8898a95d61583607452933b0e61b5c Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Fri, 20 Jul 2012 12:38:54 -0700 Subject: [PATCH] Turn off cron and document hiera. Change-Id: I7a2db915d8849894a6b218980df6371378f0c77a --- doc/index.rst | 1 - doc/puppet.rst | 59 ++++++++++++++++++++++++++++++++++-------- doc/puppet_modules.rst | 16 ++++++------ doc/stackforge.rst | 41 ----------------------------- manifests/site.pp | 20 +++++++------- 5 files changed, 66 insertions(+), 71 deletions(-) delete mode 100644 doc/stackforge.rst diff --git a/doc/index.rst b/doc/index.rst index 143346a78d..2680d91e54 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -23,7 +23,6 @@ Howtos: :maxdepth: 2 third_party - stackforge Contents: diff --git a/doc/puppet.rst b/doc/puppet.rst index 7a505872bb..1f2c3f179c 100644 --- a/doc/puppet.rst +++ b/doc/puppet.rst @@ -4,9 +4,10 @@ Puppet Master Overview -------- -Instead of using a cron job, StackForge uses a puppet master to host the puppet -manifests and modules. The other nodes then connect to this as puppet agents -to get their configuration. +Puppet agent is a mechanism use to pull puppet manifests and configuration +from a centralized master. This means there is only one place that needs to +hold secure information such as passwords, and only one location for the git +repo holding the modules. Puppet Master ------------- @@ -19,12 +20,12 @@ ship the data to the clients. To install this: sudo apt-get install puppet puppetmaster-passenger Files for puppet master are stored in a git repo clone at -``/opt/openstack-ci-puppet``. In StackForge we have a ``root`` cron job that +``/opt/openstack-ci-puppet``. We have a ``root`` cron job that automatically populates these from our puppet git repository as follows: .. code-block:: bash - */15 * * * * sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet && /usr/bin/git pull -q + \*/15 * * * * sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet && /usr/bin/git pull -q The ``/etc/puppet/puppet.conf`` file then needs updating to point to the manifest and modules as follows: @@ -38,13 +39,49 @@ manifest and modules as follows: ssl_client_verify_header = SSL_CLIENT_VERIFY manifestdir=/opt/openstack-ci-puppet/manifests modulepath=/opt/openstack-ci-puppet/modules - manifest=$manifestdir/stackforge.pp + manifest=$manifestdir/site.pp +Hiera +----- + +Hiera is used to maintain secret information on the puppetmaster. + +We want to install hiera from puppetlabs' apt repo, but we don't want to get +on the puppet upgrade train - so the process is as follows: + +.. code-block:: bash + + echo "deb http://apt.puppetlabs.com precise devel" > /etc/apt/sources.list.d/puppetlabs.list + apt-get update + apt-get install hiera hiera-puppet + rm /etc/apt/sources.list.d/puppetlabs.list + apt-get update + +Hiera uses a systemwide configuration file in ``/etc/puppet/hiera.yaml`` +which tells is where to find subsequent configuration files. + +.. code-block:: yaml + + --- + :hierarchy: + - %{operatingsystem} + - common + :backends: + - yaml + :yaml: + :datadir: '/etc/puppet/hieradata/%{environment}' + +This setup supports multiple configuration. The two sets of environments +that OpenStack CI users are ``production`` and ``development``. ``production`` +is the default is and the environment used when nothing else is specified. +Then the configuration needs to be placed into common.yaml in +``/etc/puppet/hieradata/production`` and ``/etc/puppet/hieradata/development``. +The values are simple key-value pairs in yaml format. Adding a node ------------- -On the new server connecting to the puppet master: +On the new server connecting (for example, review.openstack.org) to the puppet master: .. code-block:: bash @@ -63,8 +100,8 @@ of the puppet master with the following additions to ``/etc/puppet/puppet.conf`` .. code-block:: ini [main] - server=puppet.stackforge.org - certname=review.stackforge.org + server=ci-puppetmaster.openstack.org + certname=review.openstack.org The cert signing process needs to be started with: @@ -81,13 +118,13 @@ On the puppet master: You should get a list of entries similar to the one below:: - review.stackforge.org (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF) + review.openstack.org (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF) If you see the new node there you can sign its cert on the puppet master with: .. code-block:: bash - sudo puppet cert sign review.stackforge.org + sudo puppet cert sign review.openstack.org Finally on the puppet agent you need to start the agent daemon: diff --git a/doc/puppet_modules.rst b/doc/puppet_modules.rst index 853522b1fb..702d6d9f86 100644 --- a/doc/puppet_modules.rst +++ b/doc/puppet_modules.rst @@ -179,16 +179,16 @@ manifest: .. code-block:: ruby class { 'gerrit': - canonicalweburl => "https://review.stackforge.org/", - email => "review@stackforge.org", - github_projects => [ { - name => 'stackforge/MRaaS', - close_pull => 'true' - } ], - logo => 'stackforge.png' + canonicalweburl => "https://review.openstack.org/", + email => "review@openstack.org", + github_projects => [ + 'openstack/nova', + 'stackforge/MRaaS', + ], + logo => 'openstack.png' } -Most of these options are self-explanitory. The github_projects is a list of +Most of these options are self-explanitory. The ``github_projects`` is a list of all projects in GitHub which are managed by the gerrit server. Skinning diff --git a/doc/stackforge.rst b/doc/stackforge.rst deleted file mode 100644 index c89cd06918..0000000000 --- a/doc/stackforge.rst +++ /dev/null @@ -1,41 +0,0 @@ -HOWTO: Add a Project to StackForge -================================== - -Overview --------- - -StackForge is a Gerrit review and Jenkins CI setup similar to that of the main -OpenStack project but for use with projects that are not under the main -OpenStack umbrella. - -Any project can be added to StackForge as long as it is related to OpenStack in -some way. - -Launchpad ---------- - -All the developers of the project need to sign up to Launchpad and a team is -needed for the core project reviewers to join. This team also needs to be -a sub-team of the `OpenStack team `_ so that -Gerrit will be able to see it. - -GitHub ------- - -If you already have a branch on GitHub for the project this will need moving to -the StackForge GitHub organization. Otherwise a new branch will need creating -for you. The OpenStack Core Infrastructure team can assist in this. - -Jenkins and Gerrit ------------------- - -Until the setup is more automated the OpenStack Core Infrastructure team will -need to do the Jenkins and Gerrit portion of the setup too. If you project is -Python based we have a `Project Testing Interface `_ that we prefer you use. Otherwise please let the CI -team know the testing requirements for Jenkins. - -Contacting the CI Team ----------------------- - -The best way to get the CI team to help with the above steps is to `file a CI bug `_. We are also available on the -#openstack-infra IRC channel or to the `CI Admins email address `_. diff --git a/manifests/site.pp b/manifests/site.pp index 66ff2ecab8..e0768d2e9e 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -117,7 +117,7 @@ node default { # thus, set it to 5000minutes until the bug is fixed. node "review.openstack.org" { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [80, 443, 29418] } @@ -273,7 +273,7 @@ node "review.openstack.org" { } node "gerrit-dev.openstack.org", "review-dev.openstack.org" { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [80, 443, 29418] } @@ -300,7 +300,7 @@ node "gerrit-dev.openstack.org", "review-dev.openstack.org" { } node "jenkins.openstack.org" { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [80, 443, 4155] } @@ -369,7 +369,7 @@ node "jenkins.openstack.org" { } node "jenkins-dev.openstack.org" { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [80, 443, 4155] } @@ -387,7 +387,7 @@ node "jenkins-dev.openstack.org" { } node "community.openstack.org" { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [80, 443, 8099, 8080] } @@ -411,7 +411,7 @@ node "ci-puppetmaster.openstack.org" { } node "lists.openstack.org" { - include openstack_cron + include remove_openstack_cron # Using openstack_template instead of openstack_server # because the exim config on this machine is almost certainly @@ -439,7 +439,7 @@ node "lists.openstack.org" { } node "docs.openstack.org" { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [] } @@ -494,7 +494,7 @@ node "eavesdrop.openstack.org" { } node "pypi.openstack.org" { - include openstack_cron + include remove_openstack_cron # include jenkins slave so that build deps are there for the pip download class { 'jenkins_slave': @@ -529,7 +529,7 @@ node "pypi.openstack.org" { } node 'etherpad.openstack.org' { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [22, 80, 443] } @@ -546,7 +546,7 @@ node 'etherpad.openstack.org' { } node 'wiki.openstack.org' { - include openstack_cron + include remove_openstack_cron class { 'openstack_server': iptables_public_tcp_ports => [80, 443] }