Closed Bug 694300 Opened 13 years ago Closed 13 years ago

puppet manifests for signing machine

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: catlee, Assigned: bhearsum)

References

(
URL
)

Details

(Whiteboard: [puppet][signing])

Attachments

(1 file)

puppet manifests for signing server
19.91 KB, patch
catlee
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review 
      No description provided.
I've been working on this.
Assignee: catlee → bhearsum
Here's what I think are the final version of the puppet manifests for the signing servers. Overview:
* Creates dep and nightly signing server instances for each signing server machine
* Each signing server instance has all non-secret things that it needs to run: binaries, test mars, config files, etc. Secrets need to be copied in by hand.
* I changed the mozilla repositories package to use _exclusively_ internal repositories. The masters and other machines that pick up this will make this change, too. This is a good thing, IMHO.
* I fixed a couple of bugs in the manifests pertaining to nrpe

I did tests of this extensive on signing1 and signing2. I got to the point where no changes would be made to the existing instances on signing1 (running with --noop). On signing2, I was able to bring up new instances from scratch with the only manual intervention being copying in the secrets.

I did a quick --noop test on buildbot-master08, too - the only changes being made to it were the yum repos.
Attachment #579353 - Flags: review?(catlee)
Comment on attachment 579353 [details] [diff] [review]
puppet manifests for signing server

Review of attachment 579353 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with nits, and verification that the File/Exec clauses in instance.pp don't apply globally.

::: buildmaster-production.pp
@@ +206,5 @@
> +}
> +
> +node "signing1" inherits "masternode" {
> +    include releng::master
> +    # use LDAP and SSH keys for user-specific logins

this comment doesn't apply any more

@@ +212,5 @@
> +}
> +
> +node "signing2" inherits "masternode" {
> +    include releng::master
> +    # use LDAP and SSH keys for user-specific logins

same here

::: modules/signingserver/manifests/instance.pp
@@ +46,5 @@
> +        owner => $user
> +    }
> +    Exec {
> +        user => $user
> +    }

are the effects of these limited to just this define?

::: modules/signingserver/templates/iptables.erb
@@ +1,1 @@
> +# Generated by iptables-save v1.3.5 on Thu Oct 13 07:13:46 2011

Remove this and add our regular "#### This file is under configuration management" boilerplate

@@ +13,5 @@
> +<% signing_server_ports.each do |port| -%>
> +-A INPUT -p tcp -m tcp --dport <%= port %> -j ACCEPT
> +<% end -%>
> +COMMIT
> +# Completed on Thu Oct 13 07:13:46 2011

this can go too
Attachment #579353 - Flags: review?(catlee) → review+
Attachment #579353 - Flags: checked-in+
This landed almost cleanly. I needed one follow-up fix to correct a duplicated definition on buildapi01: http://hg.mozilla.org/build/puppet-manifests/rev/1ebdea4cbc61

Leaving this bug open for adjustments due to daemonization of the signing server.
Turns out we didn't really need any adjustments for the daemonized version. I did land a change to adjust the max_token_age though: http://hg.mozilla.org/build/puppet-manifests/rev/ccdc32e78fed
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: