From 7b5691ec95987632b9d3a231951a295c3fee9248 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 6 Jun 2012 20:54:34 +0100 Subject: [PATCH] Add puppet master Opens up the required port for a puppet master server Adds a git pull to update the master Update the docs for the improved way of configuring puppet master Change-Id: I12a4c2820f78df723ede922ca8e0b9d33ed42a33 --- doc/puppet.rst | 77 +++++++++++++++++++++++++++-------------------- manifests/site.pp | 13 ++++++++ 2 files changed, 58 insertions(+), 32 deletions(-) diff --git a/doc/puppet.rst b/doc/puppet.rst index c69b108644..7a505872bb 100644 --- a/doc/puppet.rst +++ b/doc/puppet.rst @@ -16,25 +16,30 @@ ship the data to the clients. To install this: .. code-block:: bash - sudo apt-get install puppet puppetmaster puppetmaster-passenger + sudo apt-get install puppet puppetmaster-passenger -Note that this may break the first time round due to not-so-perfect packaging -involved. You will also need to stop the puppetmaster service and edit the -``/etc/defaults/puppetmaster`` file to change ``START=no``. Puppetmaster needs -to run first because it creates the SSL CA used to sign puppet agents (the -passenger service does not do this). - -This should then allow you to start ``apache2`` which in turn will automatically -manage the puppet master. - -Files for puppet master are stored in ``/etc/puppet`` with the subdirectories -``manifests`` and ``modules`` being the important ones. In StackForge we have -a ``root`` cron job that automatically populates these from our puppet git -repository as follows: +Files for puppet master are stored in a git repo clone at +``/opt/openstack-ci-puppet``. In StackForge we have a ``root`` cron job that +automatically populates these from our puppet git repository as follows: .. code-block:: bash - */15 * * * * sleep $((RANDOM\%600)) && cd /srv/openstack-ci-puppet && /usr/bin/git pull -q && cp /srv/openstack-ci-puppet/manifests/users.pp /etc/puppet/manifests/ && cp /srv/openstack-ci-puppet/manifests/stackforge.pp /etc/puppet/manifests/site.pp && cp -a /srv/openstack-ci-puppet/modules/ /etc/puppet/ + */15 * * * * sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet && /usr/bin/git pull -q + +The ``/etc/puppet/puppet.conf`` file then needs updating to point to the +manifest and modules as follows: + +.. code-block:: ini + + [master] + # These are needed when the puppetmaster is run by passenger + # and can safely be removed if webrick is used. + ssl_client_header = SSL_CLIENT_S_DN + ssl_client_verify_header = SSL_CLIENT_VERIFY + manifestdir=/opt/openstack-ci-puppet/manifests + modulepath=/opt/openstack-ci-puppet/modules + manifest=$manifestdir/stackforge.pp + Adding a node ------------- @@ -45,26 +50,30 @@ On the new server connecting to the puppet master: sudo apt-get install puppet -Then edit the ``/etc/default/puppet`` file to look like this: +Then edit the ``/etc/default/puppet`` file to change the start variable: .. code-block:: ini - # Defaults for puppet - sourced by /etc/init.d/puppet - # Start puppet on boot? START=yes - # Startup options - DAEMON_OPTS="--server puppet.stackforge.org" +The node then needs to be configured to set a fixed hostname and the hostname +of the puppet master with the following additions to ``/etc/puppet/puppet.conf``: -You can then start the puppet agent with: +.. code-block:: ini + + [main] + server=puppet.stackforge.org + certname=review.stackforge.org + +The cert signing process needs to be started with: .. code-block:: bash - sudo service puppet start + sudo puppet agent --test -Once the node has started it will make a request to the puppet master to have -its SSL cert signed. On the puppet master: +This will make a request to the puppet master to have its SSL cert signed. +On the puppet master: .. code-block:: bash @@ -72,26 +81,30 @@ its SSL cert signed. On the puppet master: You should get a list of entries similar to the one below:: - review.novalocal (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF) + review.stackforge.org (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF) If you see the new node there you can sign its cert on the puppet master with: .. code-block:: bash - sudo puppet cert sign review.novalocal + sudo puppet cert sign review.stackforge.org + +Finally on the puppet agent you need to start the agent daemon: + +.. code-block:: bash + + sudo service puppet start Now that it is signed the puppet agent will execute any instructions for its node on the next run (default is every 30 minutes). You can trigger this -earlier by restarting the puppet service on the new node. +earlier by restarting the puppet service on the agent node. Important Notes --------------- -#. The hostname of the nodes **must** match the the forward looking for the DNS. - For example the server pointed to with the DNS entry - ``jenkins.stackforge.org`` must have the hostname ``jenkins.stackforge.org`` - otherwise the SSL signing or standard run will fail. - #. Make sure the site manifest **does not** include the puppet cron job, this conflicts with puppet master and can cause issues. The initial puppet run that create users should be done using the puppet agent configuration above. + +#. If you do not see the cert in the master's cert list the agent's + ``/var/log/syslog`` should have an entry showing you why. diff --git a/manifests/site.pp b/manifests/site.pp index 78e66dfd82..5c7a20a68e 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -295,6 +295,19 @@ node "community.openstack.org" { ) } +node "ci-puppetmaster.openstack.org" { + class { 'openstack_server': + iptables_public_tcp_ports => [8140] + } + cron { "updatepuppetmaster": + user => root, + minute => "*/15", + command => 'sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet && /usr/bin/git pull -q', + environment => "PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin", + } + +} + node "lists.openstack.org" { include openstack_cron