ReleaseEngineering/PuppetAgain/Modules/puppetmaster: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "This module handles installing, updating, and running puppet master. This setup uses Apache and mod_passenger. Puppet masters doesn't sign client certificates. They are generated...")
 
 
(5 intermediate revisions by 2 users not shown)
Line 2: Line 2:


= Installation =
= Installation =
This procedure has been tested on freshly onstalled CentOS 6.2 hosts with "Base" yum group installed.
See [[ReleaseEngineering/PuppetAgain/HowTo/Set up a standalone puppetmaster]]
* Install <tt>puppet</tt> and <tt>mercurial</tt> packages from releng repo (link to how set it up?)
* Generate puppet master certificates using CA scripts (see below) and copy them.
* Clone puppetagain repo to <tt>/etc/puppet/production</tt>
hg clone http://hg.mozilla.org/build/puppet /etc/puppet/production
* Copy <tt>secrets.csv</tt> and <tt>local-config.csv</tt> files to <tt>/etc/puppet/production/manifests/extlookup/</tt>
* Run <tt>/etc/puppet/production/setup/masterize.sh</tt> to bootstrap the master


= Updates =
= Updates =
Masters update themselves by [[ReleaseEngineering/PuppetAgain/Modules/puppet#puppet::periodic]] conrjob.
Masters update themselves by <tt>puppet::periodic</tt> ([[ReleaseEngineering/PuppetAgain/Modules/puppet]]).
 
= Certificate management =
TODO, {{bug|784716}}


= CRL sync =
= CRL sync =
To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a [http://hg.mozilla.org/build/puppet/file/tip/modules/puppetmaster/templates/update_crl.sh.erb cron job] and gracefuly restart apache.
To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a [http://hg.mozilla.org/build/puppet/file/tip/modules/puppetmaster/templates/update_crl.sh.erb cron job] and gracefuly restart apache.
= Secrets =
Creation of new certificates is guarded by a password, using the username 'deploy'
;deploy_password
:the cleartext password
;deploy_username
:always 'deploy'
;puppetmaster_deploy_htpasswd
:the htpasswd-hashed version of the password.  Generate with <tt>htpasswd -n - deploy</tt> and only include the portion after "deploy:" in the secrets file

Latest revision as of 16:12, 15 July 2014

This module handles installing, updating, and running puppet master. This setup uses Apache and mod_passenger. Puppet masters doesn't sign client certificates. They are generated by a self signed CA (on cruncher).

Installation

See ReleaseEngineering/PuppetAgain/HowTo/Set up a standalone puppetmaster

Updates

Masters update themselves by puppet::periodic (ReleaseEngineering/PuppetAgain/Modules/puppet).

CRL sync

To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a cron job and gracefuly restart apache.

Secrets

Creation of new certificates is guarded by a password, using the username 'deploy'

deploy_password
the cleartext password
deploy_username
always 'deploy'
puppetmaster_deploy_htpasswd
the htpasswd-hashed version of the password. Generate with htpasswd -n - deploy and only include the portion after "deploy:" in the secrets file
Retrieved from "https://wiki.allizom.org/index.php?title=ReleaseEngineering/PuppetAgain/Modules/puppetmaster&oldid=997054"