Add puppet master

Opens up the required port for a puppet master server Adds a git pull to update the master Update the docs for the improved way of configuring puppet master Change-Id: I12a4c2820f78df723ede922ca8e0b9d33ed42a33
2012-06-06 20:54:34 +01:00 · 2012-06-06 20:54:34 +01:00 · 7b5691ec95
commit 7b5691ec95
parent 9bc505d986
2 changed files with 58 additions and 32 deletions
--- a/doc/puppet.rst
+++ b/doc/puppet.rst
@ -16,25 +16,30 @@ ship the data to the clients.  To install this:
 .. code-block:: bash
-  sudo apt-get install puppet puppetmaster puppetmaster-passenger
+  sudo apt-get install puppet puppetmaster-passenger
-Note that this may break the first time round due to not-so-perfect packaging
+Files for puppet master are stored in a git repo clone at
-involved.  You will also need to stop the puppetmaster service and edit the
+``/opt/openstack-ci-puppet``.  In StackForge we have a ``root`` cron job that
-``/etc/defaults/puppetmaster`` file to change ``START=no``.  Puppetmaster needs
+automatically populates these from our puppet git repository as follows:
 to run first because it creates the SSL CA used to sign puppet agents (the
 passenger service does not do this).
 This should then allow you to start ``apache2`` which in turn will automatically
 manage the puppet master.
 Files for puppet master are stored in ``/etc/puppet`` with the subdirectories
 ``manifests`` and ``modules`` being the important ones.  In StackForge we have
 a ``root`` cron job that automatically populates these from our puppet git
 repository as follows:
 .. code-block:: bash
-  */15 * * * * sleep $((RANDOM\%600)) && cd /srv/openstack-ci-puppet && /usr/bin/git pull -q  && cp /srv/openstack-ci-puppet/manifests/users.pp /etc/puppet/manifests/ && cp /srv/openstack-ci-puppet/manifests/stackforge.pp /etc/puppet/manifests/site.pp && cp -a /srv/openstack-ci-puppet/modules/ /etc/puppet/
+  */15 * * * * sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet && /usr/bin/git pull -q
 The ``/etc/puppet/puppet.conf`` file then needs updating to point to the
 manifest and modules as follows:
 .. code-block:: ini
   [master]
   # These are needed when the puppetmaster is run by passenger
   # and can safely be removed if webrick is used.
   ssl_client_header = SSL_CLIENT_S_DN
   ssl_client_verify_header = SSL_CLIENT_VERIFY
   manifestdir=/opt/openstack-ci-puppet/manifests
   modulepath=/opt/openstack-ci-puppet/modules
   manifest=$manifestdir/stackforge.pp
 Adding a node
 -------------
@ -45,26 +50,30 @@ On the new server connecting to the puppet master:
  sudo apt-get install puppet
-Then edit the ``/etc/default/puppet`` file to look like this:
+Then edit the ``/etc/default/puppet`` file to change the start variable:
 .. code-block:: ini
  # Defaults for puppet - sourced by /etc/init.d/puppet
  # Start puppet on boot?
  START=yes
-  # Startup options
+The node then needs to be configured to set a fixed hostname and the hostname
-  DAEMON_OPTS="--server puppet.stackforge.org"
+of the puppet master with the following additions to ``/etc/puppet/puppet.conf``:
-You can then start the puppet agent with:
+.. code-block:: ini
   [main]
   server=puppet.stackforge.org
   certname=review.stackforge.org
 The cert signing process needs to be started with:
 .. code-block:: bash
-  sudo service puppet start
+  sudo puppet agent --test
-Once the node has started it will make a request to the puppet master to have
+This will make a request to the puppet master to have its SSL cert signed.
-its SSL cert signed.  On the puppet master:
+On the puppet master:
 .. code-block:: bash
@ -72,26 +81,30 @@ its SSL cert signed.  On the puppet master:
 You should get a list of entries similar to the one below::
-  review.novalocal       (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF)
+  review.stackforge.org  (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF)
 If you see the new node there you can sign its cert on the puppet master with:
 .. code-block:: bash
-  sudo puppet cert sign review.novalocal
+  sudo puppet cert sign review.stackforge.org
 Finally on the puppet agent you need to start the agent daemon:
 .. code-block:: bash
   sudo service puppet start
 Now that it is signed the puppet agent will execute any instructions for its
 node on the next run (default is every 30 minutes).  You can trigger this
-earlier by restarting the puppet service on the new node.
+earlier by restarting the puppet service on the agent node.
 Important Notes
 ---------------
 #. The hostname of the nodes **must** match the the forward looking for the DNS.
   For example the server pointed to with the DNS entry
   ``jenkins.stackforge.org`` must have the hostname ``jenkins.stackforge.org``
   otherwise the SSL signing or standard run will fail.
 #. Make sure the site manifest **does not** include the puppet cron job, this
   conflicts with puppet master and can cause issues.  The initial puppet run
   that create users should be done using the puppet agent configuration above.
 #. If you do not see the cert in the master's cert list the agent's
   ``/var/log/syslog`` should have an entry showing you why.
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -295,6 +295,19 @@ node "community.openstack.org" {
  )
 }
 node "ci-puppetmaster.openstack.org" {
  class { 'openstack_server':
    iptables_public_tcp_ports => [8140]
  }
  cron { "updatepuppetmaster":
    user => root,
    minute => "*/15",
    command => 'sleep $((RANDOM\%600)) && cd /opt/openstack-ci-puppet && /usr/bin/git pull -q',
    environment => "PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin",
  }
 }
 node "lists.openstack.org" {
  include openstack_cron