opendev/system-config
Code Issues Proposed changes

Merge "Clean up puppetmaster cruft"

Browse Source
This commit is contained in:
Jenkins 2017-05-24 20:02:33 +00:00 committed by Gerrit Code Review
commit b53941517d
6 changed files with 4 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/source/running-your-own.rst
View File

@ -376,9 +376,7 @@ to bring up initially, so that's our next step.
The platform specific slaves are named $platform-serial.slave.$PROJECT in The platform specific slaves are named $platform-serial.slave.$PROJECT in
site.pp. For instance, Python2.6 is not widely available now, so it runs on site.pp. For instance, Python2.6 is not widely available now, so it runs on
centos6-xx.slave.$platform nodes. There can be multiple slaves, and each centos6-xx.slave.$platform nodes.
gets their own puppet cert. The openstack/site.pp has a legacy setting for
``certname`` that you should remove.
#. Migrate modules/openstack_project/manifests/slave.pp #. Migrate modules/openstack_project/manifests/slave.pp
We reuse tmpcleanup as-is. We reuse tmpcleanup as-is.
@ -386,8 +384,6 @@ gets their own puppet cert. The openstack/site.pp has a legacy setting for
#. Convert a slave definition in site.pp. Lets say #. Convert a slave definition in site.pp. Lets say
``/^centos6-?\d+\.slave\.openstack\.org$/`` ``/^centos6-?\d+\.slave\.openstack\.org$/``
#. Remove the certname override - upstream are dropping this gradually.
#. Launch a node, passing in --image and --flavor to get a node that you #. Launch a node, passing in --image and --flavor to get a node that you
want :). e.g:: want :). e.g::

2
manifests/site.pp
View File

@ -1188,7 +1188,6 @@ node /^zlstatic\d+\.openstack\.org$/ {
iptables_rules6 => $iptables_rule, iptables_rules6 => $iptables_rule,
iptables_rules4 => $iptables_rule, iptables_rules4 => $iptables_rule,
sysadmins => hiera('sysadmins', []), sysadmins => hiera('sysadmins', []),
puppetmaster_server => 'puppetmaster.openstack.org',
afs => true, afs => true,
} }
class { 'openstack_project::zuul_launcher': class { 'openstack_project::zuul_launcher':
@ -1217,7 +1216,6 @@ node /^zl\d+\.openstack\.org$/ {
iptables_rules6 => $iptables_rule, iptables_rules6 => $iptables_rule,
iptables_rules4 => $iptables_rule, iptables_rules4 => $iptables_rule,
sysadmins => hiera('sysadmins', []), sysadmins => hiera('sysadmins', []),
puppetmaster_server => 'puppetmaster.openstack.org',
afs => true, afs => true,
} }
class { 'openstack_project::zuul_launcher': class { 'openstack_project::zuul_launcher':

18
modules/openstack_project/manifests/puppetmaster.pp
View File

@ -194,27 +194,15 @@ class openstack_project::puppetmaster (
# For puppet master apache serving. # For puppet master apache serving.
package { 'puppetmaster-passenger': package { 'puppetmaster-passenger':
ensure => present, ensure => absent,
} }
file { '/etc/apache2/sites-available/puppetmaster.conf': file { '/etc/apache2/sites-available/puppetmaster.conf':
ensure => present, ensure => absent,
owner => 'root',
group => 'root',
mode => '0600',
content => template('openstack_project/puppetmaster/puppetmaster_vhost.conf.erb'),
require => Package['puppetmaster-passenger'],
} }
# To set LANG to utf8, otherwise we get charset errors on manifests
# with non-ascii chars
file { '/etc/apache2/envvars': file { '/etc/apache2/envvars':
ensure => present, ensure => absent,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/puppetmaster/envvars.debian',
require => Package['puppetmaster-passenger'],
} }
# For launch/launch-node.py. # For launch/launch-node.py.

2
modules/openstack_project/manifests/server.pp
View File

@ -7,13 +7,11 @@ class openstack_project::server (
$iptables_rules4 = [], $iptables_rules4 = [],
$iptables_rules6 = [], $iptables_rules6 = [],
$sysadmins = [], $sysadmins = [],
$certname = $::fqdn,
$pin_puppet = '3.', $pin_puppet = '3.',
$ca_server = undef, $ca_server = undef,
$enable_unbound = true, $enable_unbound = true,
$afs = false, $afs = false,
$afs_cache_size = 500000, $afs_cache_size = 500000,
$puppetmaster_server = 'puppetmaster.openstack.org',
$manage_exim = true, $manage_exim = true,
$pypi_index_url = 'https://pypi.python.org/simple', $pypi_index_url = 'https://pypi.python.org/simple',
$purge_apt_sources = true, $purge_apt_sources = true,

2
modules/openstack_project/manifests/slave.pp
View File

@ -2,7 +2,6 @@
# #
class openstack_project::slave ( class openstack_project::slave (
$thin = false, $thin = false,
$certname = $::fqdn,
$ssh_key = '', $ssh_key = '',
$sysadmins = [], $sysadmins = [],
$jenkins_gitfullname = 'OpenStack Jenkins', $jenkins_gitfullname = 'OpenStack Jenkins',
@ -20,7 +19,6 @@ class openstack_project::slave (
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [19885], iptables_public_tcp_ports => [19885],
iptables_public_udp_ports => [], iptables_public_udp_ports => [],
certname => $certname,
sysadmins => $sysadmins, sysadmins => $sysadmins,
afs => $afs afs => $afs
} }

60
modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb
View File

@ -1,60 +0,0 @@
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# This file is basically the one shipped by puppet with changes annotated
# below.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# This line is commented out by puppet and uncommented here to avoid a
# memory leak.
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
Listen 8140
<VirtualHost *:8140>
SSLEngine on
# This replaces puppet's default SSLProtocol spec to prevent POODLE
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>