ReleaseEngineering/PuppetAgain/Modules/puppetmaster: Difference between revisions
< ReleaseEngineering | PuppetAgain | Modules
Jump to navigation
Jump to search
No edit summary |
|||
| Line 14: | Line 14: | ||
= Certificate management = | = Certificate management = | ||
See http://hg.mozilla.org/build/puppet/file/tip/setup/ca-scripts/README | |||
= CRL sync = | = CRL sync = | ||
To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a [http://hg.mozilla.org/build/puppet/file/tip/modules/puppetmaster/templates/update_crl.sh.erb cron job] and gracefuly restart apache. | To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a [http://hg.mozilla.org/build/puppet/file/tip/modules/puppetmaster/templates/update_crl.sh.erb cron job] and gracefuly restart apache. | ||
Revision as of 22:00, 3 January 2013
This module handles installing, updating, and running puppet master. This setup uses Apache and mod_passenger. Puppet masters doesn't sign client certificates. They are generated by a self signed CA (on cruncher).
Installation
This procedure has been tested on freshly onstalled CentOS 6.2 hosts with "Base" yum group installed.
- Install puppet and mercurial packages from releng repo (link to how set it up?)
- Generate puppet master certificates using CA scripts (see below) and copy them.
- Clone puppetagain repo to /etc/puppet/production
hg clone http://hg.mozilla.org/build/puppet /etc/puppet/production
- Copy secrets.csv and local-config.csv files to /etc/puppet/production/manifests/extlookup/
- Run /etc/puppet/production/setup/masterize.sh to bootstrap the master
Updates
Masters update themselves by puppet::periodic (ReleaseEngineering/PuppetAgain/Modules/puppet).
Certificate management
See http://hg.mozilla.org/build/puppet/file/tip/setup/ca-scripts/README
CRL sync
To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a cron job and gracefuly restart apache.