opendev/system-config
Code Issues Proposed changes

Clean up puppetmaster cruft

Browse Source 
Now that we are running puppet in masterless mode, we don't need to tell
nodes where the puppetmaster is, or what their certname is, nor do we
need to keep running the puppetmaster in Apache. This patch cleans those
things up.

Change-Id: I663af0d9948f2ce3a47cc22ada47c3bbbbf316fa
This commit is contained in:
Colleen Murphy 2017-04-02 19:03:08 +02:00 committed by Colleen Murphy
parent 4bda27fcc3
commit 53b0e624e0
6 changed files with 4 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/source/running-your-own.rst
View File

@ -376,9 +376,7 @@ to bring up initially, so that's our next step.
The platform specific slaves are named $platform-serial.slave.$PROJECT in The platform specific slaves are named $platform-serial.slave.$PROJECT in
site.pp. For instance, Python2.6 is not widely available now, so it runs on site.pp. For instance, Python2.6 is not widely available now, so it runs on
centos6-xx.slave.$platform nodes. There can be multiple slaves, and each centos6-xx.slave.$platform nodes.
gets their own puppet cert. The openstack/site.pp has a legacy setting for
``certname`` that you should remove.
#. Migrate modules/openstack_project/manifests/slave.pp #. Migrate modules/openstack_project/manifests/slave.pp
We reuse tmpcleanup as-is. We reuse tmpcleanup as-is.
@ -386,8 +384,6 @@ gets their own puppet cert. The openstack/site.pp has a legacy setting for
#. Convert a slave definition in site.pp. Lets say #. Convert a slave definition in site.pp. Lets say
``/^centos6-?\d+\.slave\.openstack\.org$/`` ``/^centos6-?\d+\.slave\.openstack\.org$/``
#. Remove the certname override - upstream are dropping this gradually.
#. Launch a node, passing in --image and --flavor to get a node that you #. Launch a node, passing in --image and --flavor to get a node that you
want :). e.g:: want :). e.g::

2
manifests/site.pp
View File

@ -1186,7 +1186,6 @@ node /^zlstatic\d+\.openstack\.org$/ {
iptables_rules6 => $iptables_rule, iptables_rules6 => $iptables_rule,
iptables_rules4 => $iptables_rule, iptables_rules4 => $iptables_rule,
sysadmins => hiera('sysadmins', []), sysadmins => hiera('sysadmins', []),
puppetmaster_server => 'puppetmaster.openstack.org',
afs => true, afs => true,
} }
class { 'openstack_project::zuul_launcher': class { 'openstack_project::zuul_launcher':
@ -1215,7 +1214,6 @@ node /^zl\d+\.openstack\.org$/ {
iptables_rules6 => $iptables_rule, iptables_rules6 => $iptables_rule,
iptables_rules4 => $iptables_rule, iptables_rules4 => $iptables_rule,
sysadmins => hiera('sysadmins', []), sysadmins => hiera('sysadmins', []),
puppetmaster_server => 'puppetmaster.openstack.org',
afs => true, afs => true,
} }
class { 'openstack_project::zuul_launcher': class { 'openstack_project::zuul_launcher':

18
modules/openstack_project/manifests/puppetmaster.pp
View File

@ -194,27 +194,15 @@ class openstack_project::puppetmaster (
# For puppet master apache serving. # For puppet master apache serving.
package { 'puppetmaster-passenger': package { 'puppetmaster-passenger':
ensure => present, ensure => absent,
} }
file { '/etc/apache2/sites-available/puppetmaster.conf': file { '/etc/apache2/sites-available/puppetmaster.conf':
ensure => present, ensure => absent,
owner => 'root',
group => 'root',
mode => '0600',
content => template('openstack_project/puppetmaster/puppetmaster_vhost.conf.erb'),
require => Package['puppetmaster-passenger'],
} }
# To set LANG to utf8, otherwise we get charset errors on manifests
# with non-ascii chars
file { '/etc/apache2/envvars': file { '/etc/apache2/envvars':
ensure => present, ensure => absent,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/puppetmaster/envvars.debian',
require => Package['puppetmaster-passenger'],
} }
# For launch/launch-node.py. # For launch/launch-node.py.

2
modules/openstack_project/manifests/server.pp
View File

@ -7,13 +7,11 @@ class openstack_project::server (
$iptables_rules4 = [], $iptables_rules4 = [],
$iptables_rules6 = [], $iptables_rules6 = [],
$sysadmins = [], $sysadmins = [],
$certname = $::fqdn,
$pin_puppet = '3.', $pin_puppet = '3.',
$ca_server = undef, $ca_server = undef,
$enable_unbound = true, $enable_unbound = true,
$afs = false, $afs = false,
$afs_cache_size = 500000, $afs_cache_size = 500000,
$puppetmaster_server = 'puppetmaster.openstack.org',
$manage_exim = true, $manage_exim = true,
$pypi_index_url = 'https://pypi.python.org/simple', $pypi_index_url = 'https://pypi.python.org/simple',
$purge_apt_sources = true, $purge_apt_sources = true,

2
modules/openstack_project/manifests/slave.pp
View File

@ -2,7 +2,6 @@
# #
class openstack_project::slave ( class openstack_project::slave (
$thin = false, $thin = false,
$certname = $::fqdn,
$ssh_key = '', $ssh_key = '',
$sysadmins = [], $sysadmins = [],
$jenkins_gitfullname = 'OpenStack Jenkins', $jenkins_gitfullname = 'OpenStack Jenkins',
@ -20,7 +19,6 @@ class openstack_project::slave (
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [19885], iptables_public_tcp_ports => [19885],
iptables_public_udp_ports => [], iptables_public_udp_ports => [],
certname => $certname,
sysadmins => $sysadmins, sysadmins => $sysadmins,
afs => $afs afs => $afs
} }

60
modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb
View File

@ -1,60 +0,0 @@
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# This file is basically the one shipped by puppet with changes annotated
# below.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# This line is commented out by puppet and uncommented here to avoid a
# memory leak.
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
Listen 8140
<VirtualHost *:8140>
SSLEngine on
# This replaces puppet's default SSLProtocol spec to prevent POODLE
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>