|
|
(27 intermediate revisions by 14 users not shown) |
Line 1: |
Line 1: |
| <!-- page was renamed from Infrastructure/Puppet/QuickStart
| | {{header|infra}} |
| -->
| |
| = Puppet SOP =
| |
|
| |
|
| | {{admon/important|All SOPs have been moved to the Fedora Infrastructure [https://pagure.io/infra-docs/ SOP git repository]. Please consult the [https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/index.html online documentation] for the current version of this document.}} |
|
| |
|
| == Introduction ==
| | [[Category:Infrastructure SOPs]] |
| This page is intended for people who are already familiar with puppet. It is specific to our Fedora Infrastructure though the techniques are general enough to apply to other environments.
| |
| | |
| == CVS ==
| |
| All of our configs and manifests are stored in CVS. We also have a private CVS that stores keys, certificates and other files (like sudoers) that shouldn't be messed with or altered but by a select few people.
| |
| | |
| The following commands will check out all cvs configs (from puppet1.fedora.phx.redhat.com)
| |
| | |
| <pre>
| |
| cvs -d /cvs/puppet co configs
| |
| cvs -d /cvs/puppet co manifests
| |
| </pre>
| |
| | |
| | |
| == Altering config files ==
| |
| The config files need to be edited, saved and installed. The following example assumes everything is checked out already and is to alter a proxy file on the webserver.
| |
| | |
| <pre>
| |
| cd configs
| |
| vi web/fedoraproject.org/wiki.conf
| |
| cvs commit -m "altered the wiki config"
| |
| make install
| |
| </pre>
| |
| | |
| {{ /code/| . tail /var/log/messages to watch the update happen
| |
| }}
| |
| | |
| == Adding new files ==
| |
| Adding new files consists of two things, adding the file and adding the manifest. Adding the config file is similar to the alteration section above. Just add the file to the appropriate directory, cvs add filename. Then commit and run 'make install'
| |
| | |
| Once the config file is in place move to your manifests directory and add the file to whichever manifest seems appropriate. If none do, add a new manifest. All of our manifests exist in the services directory. From there the servergroups manifests group the services into logical machines. The nodes file then includes those servergroups for submission to the servers.
| |
| | |
| == Adding new node ==
| |
| Adding new hosts of an already known type is easy. The following example is for a builder. First check out the manifests module. Then add a new node file (see other node files for an example:)
| |
| | |
| For example
| |
| | |
| <pre>
| |
| node xenbuilder3{
| |
| include build
| |
| }
| |
| </pre>
| |
| | |
| The "include build" line refers to a 'build' group in the servergroups directory.
| |
| | |
| === Node Access ===
| |
| | |
| If this is a new node coming from a previously un-used IP address. We need to give puppet, infrastructure and the accounts system access to the node:
| |
| | |
| <pre>
| |
| cvs -d /cvs/puppet co manifests
| |
| cd manifests
| |
| vi fileserver.conf
| |
| cvs commit -m "What you added"
| |
| make install
| |
| cd ..
| |
| cvs -d /cvs/puppet co configs
| |
| cd configs
| |
| vi web/infrastructure.fedoraproject.org/infrastructure.conf
| |
| vi web/exclude.conf.erb
| |
| </pre>
| |
| | |
| === On the node ===
| |
| | |
| Make sure that fedoraproject.org is in the search path in /etc/resolv.conf, then do a manual run of puppet:
| |
| <pre>
| |
| puppetd -t --server=puppet
| |
| </pre>
| |
| | |
| This initial run will send a certificate request over to the puppet master. once you have signed the new request (below) go back to the node and re-run the command.
| |
| | |
| === Signing new ca request ===
| |
| If using one of our official kickstart scripts a server will automatically request a cert from puppet1. To view a list just run (as root)
| |
| <pre>
| |
| puppetca --list
| |
| </pre>
| |
| | |
| followed by a sign of whatever hostname needs to be signed:
| |
| | |
| <pre>
| |
| puppetca --sign xenbuilder3.fedora.phx.redhat.com
| |
| </pre>
| |
| | |
| === Finalizing ===
| |
| Sometimes a new node needs to have puppet restarted in order to connect correctly after its certificate has been approved. Simply log in and run 'service puppet restart'
| |
| | |
| == Remove Server ==
| |
| To remove a server first clean the cert:
| |
| <pre>
| |
| puppetca -c xenbuilderx.fedora.phx.redhat.com
| |
| </pre>
| |
| Then remove its node file.
| |
| === Regenerate cert request ===
| |
| To regenerate the cert request (for example when re-kicking a box) first remove the old cert
| |
| <pre>
| |
| puppetca -c xenbuilderx.fedora.phx.redhat.com
| |
| </pre>
| |
| then restart puppet on the remote node. Then sign the certificate as mentioned above with --sign
| |