Deploy roller with releng puppet

NEW
Assigned to

Status

Infrastructure & Operations
RelOps: Puppet
13 days ago
4 days ago

People

(Reporter: dividehex, Assigned: dividehex)

Tracking

(Blocks: 1 bug)

Details

Attachments

(4 attachments, 1 obsolete attachment)

(Assignee)

Description

13 days ago
The tentative plan is to manage deployment and provisioning of the roller service with releng puppet.  Since roller is built within docker images, I plan on using Ubuntu 16.04 (since this is our most modern OS supported) with a modern version of docker installed.  This also means mirroring the docker-ce apt repo to install docker.
(Assignee)

Comment 1

13 days ago
Created attachment 8941228 [details] [diff] [review]
minor fixes to ubuntu 16.04 puppet support

This:

1) allows puppet to realize cron as a systemd service
2) prevents the install iptables exec from running on every puppet run
Attachment #8941228 - Flags: review?(dhouse)

Updated

12 days ago
Attachment #8941228 - Flags: review?(dhouse) → review+
(Assignee)

Comment 3

5 days ago
Created attachment 8943396 [details] [diff] [review]
allow trusting of unsigned apt repos

I came across an issue with Ubuntu 16.04 where apt is not accepting unsigned repos.

For eg.

Reading package lists... Done
W: The repository 'https://puppetagain-apt.pvt.build.mozilla.org/repos/apt/custom/kernel xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'https://puppetagain-apt.pvt.build.mozilla.org/repos/apt/custom/mig-agent xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.


This patch allows for trusting of the custom (unsigned) repos.
Attachment #8943396 - Flags: review?(dhouse)

Updated

5 days ago
Attachment #8943396 - Flags: review?(dhouse) → review+
(Assignee)

Comment 5

5 days ago
Created attachment 8943455 [details] [diff] [review]
adjust apt source options and add docker-ce mirror repo

This adjusts the last patch to allow multiple options to be passed to the aptrepo defined resource and adds a docker-ce mirror repo as a virtual repo resource.
Attachment #8943455 - Flags: review?(dhouse)
(Assignee)

Comment 6

5 days ago
... and it looks like the fw module is going to conflict with the rules docker is putting in place. :-(

Notice: /Stage[main]/Main/Firewall[9009 fe610d70c21ce9c0931056b9ea87cf49]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9003 efa39a4b89effc9642a89cf152ca1143]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9002 f5c6b7c8832d4b28ed0fdf8a525e233e]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9005 779207048a07114ad1f62eca677f85c7]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9001 fec05d8f28ba51df24276694fc37936d]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9012 e314954b40aa56dd6d50f3884f151c98]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9011 4718f5ca335eeb57719ef8342fdfcd1b]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9006 bbbb8cc8641f314ea26b871afd72a5e6]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9004 cedf0366b942d83904bcc79dbe2bae22]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9010 74aa613649d9718fb31361867b84366f]/ensure: removed
Notice: /Stage[main]/Main/Firewall[9008 305cfb035fc4adba0e46cad3d15bca23]/ensure: removed

Updated

4 days ago
Attachment #8943455 - Flags: review?(dhouse) → review+
(Assignee)

Comment 8

4 days ago
Created attachment 8943743 [details] [diff] [review]
purge firewall chains and ignore docker rules

The solution to the conflict between the puppet firewall module and dockers dynamic rules is to not purge ALL unmanaged rules but to only purge the 3 builtin chains (INPUT, OUTPUT and FORWARD) while ignoring rules matching docker.  Other user defined chains such as DOCKER, DOCKER-ISOLATION and DOCKER-USER are safely ignored also.
Attachment #8943743 - Flags: review?(dhouse)
(Assignee)

Updated

4 days ago
Attachment #8943743 - Attachment is patch: true

Updated

4 days ago
Attachment #8943743 - Flags: review?(dhouse) → review+
(Assignee)

Comment 9

4 days ago
Created attachment 8943746 [details] [diff] [review]
purge IPv4/IPv6 firewall chains and ignore docker rules

I forget to include the IPv6 chains.  This includes them.
Attachment #8943743 - Attachment is obsolete: true
Attachment #8943746 - Flags: review?(dhouse)
(Assignee)

Updated

4 days ago
Attachment #8943746 - Attachment is patch: true

Updated

4 days ago
Attachment #8943746 - Flags: review?(dhouse) → review+
You need to log in before you can comment on or make changes to this bug.