User:Djmitche/New Releng Puppet Infrastructure: Difference between revisions

User:Djmitche/New Releng Puppet Infrastructure (view source)

496 bytes added , 25 August 2011

no edit summary

canmove, Confirmed users

1,394

edits

@@ Line 5: / Line 5: @@
 * Manifests structured to apply settings across all machines, rather than distinct sets of manifests for each slave silo
 * Usable by external parties, both inside and outside of mozilla
+* Hands-free installations
 = General =
@@ Line 19: / Line 20: @@
 The masters update their manifests from mercurial once every 5 minutes, with a bit of "splay" added (so it does not always occur on the 5-minute mark).  Any errors during the update are emailed, as well as a diff of the manifests when they change; the latter forms a kind of change control.
-Masters currently autosign, although this will change soon.
+== Cert Signing ==
+  A sysadmin asked the Architect,
+    "What's the best way to install a new system?"
+  The Architect answered,
+    "Turn it on."
+  The sysadmin was enlightened.
+All of our installation tools are scriptable.  These tools are responsible for fetching a signed certificate from the puppet master and installing it on the client before its first boot.  This transaction will be authenticated using a protected shared secret.  Non-Mozilla users can simply omit this part of the setup and sign certificates by hand.
 = Clients =