Closed Bug 694300 Opened 14 years ago Closed 14 years ago

puppet manifests for signing machine

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: catlee, Assigned: bhearsum)

References

(
URL
)

Details

(Whiteboard: [puppet][signing])

Attachments

(1 file)

puppet manifests for signing server
19.91 KB, patch
catlee
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
No description provided.
I've been working on this.
Assignee: catlee → bhearsum
Here's what I think are the final version of the puppet manifests for the signing servers. Overview: * Creates dep and nightly signing server instances for each signing server machine * Each signing server instance has all non-secret things that it needs to run: binaries, test mars, config files, etc. Secrets need to be copied in by hand. * I changed the mozilla repositories package to use _exclusively_ internal repositories. The masters and other machines that pick up this will make this change, too. This is a good thing, IMHO. * I fixed a couple of bugs in the manifests pertaining to nrpe I did tests of this extensive on signing1 and signing2. I got to the point where no changes would be made to the existing instances on signing1 (running with --noop). On signing2, I was able to bring up new instances from scratch with the only manual intervention being copying in the secrets. I did a quick --noop test on buildbot-master08, too - the only changes being made to it were the yum repos.
Attachment #579353 - Flags: review?(catlee)
Comment on attachment 579353 [details] [diff] [review] puppet manifests for signing server Review of attachment 579353 [details] [diff] [review]: ----------------------------------------------------------------- r+ with nits, and verification that the File/Exec clauses in instance.pp don't apply globally. ::: buildmaster-production.pp @@ +206,5 @@ > +} > + > +node "signing1" inherits "masternode" { > + include releng::master > + # use LDAP and SSH keys for user-specific logins this comment doesn't apply any more @@ +212,5 @@ > +} > + > +node "signing2" inherits "masternode" { > + include releng::master > + # use LDAP and SSH keys for user-specific logins same here ::: modules/signingserver/manifests/instance.pp @@ +46,5 @@ > + owner => $user > + } > + Exec { > + user => $user > + } are the effects of these limited to just this define? ::: modules/signingserver/templates/iptables.erb @@ +1,1 @@ > +# Generated by iptables-save v1.3.5 on Thu Oct 13 07:13:46 2011 Remove this and add our regular "#### This file is under configuration management" boilerplate @@ +13,5 @@ > +<% signing_server_ports.each do |port| -%> > +-A INPUT -p tcp -m tcp --dport <%= port %> -j ACCEPT > +<% end -%> > +COMMIT > +# Completed on Thu Oct 13 07:13:46 2011 this can go too
Attachment #579353 - Flags: review?(catlee) → review+
Attachment #579353 - Flags: checked-in+
This landed almost cleanly. I needed one follow-up fix to correct a duplicated definition on buildapi01: http://hg.mozilla.org/build/puppet-manifests/rev/1ebdea4cbc61 Leaving this bug open for adjustments due to daemonization of the signing server.
Turns out we didn't really need any adjustments for the daemonized version. I did land a change to adjust the max_token_age though: http://hg.mozilla.org/build/puppet-manifests/rev/ccdc32e78fed
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: