ConfigMgmtConf 2016 by Spencer Krum (nibalizer)
This talk covered how we use ansible and puppet together. Change-Id: Ie7792e3b3621bc0c3cafa07656a343240f8f02e0
|
@ -1 +1,3 @@
|
|||
output
|
||||
*.swp
|
||||
venv
|
||||
_build
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
host=review.openstack.org
|
||||
port=29418
|
||||
project=openstack-infra/publications.git
|
||||
defaultbranch=master
|
||||
defaultbranch=better-together-puppet-and-ansible
|
||||
|
|
|
@ -0,0 +1,198 @@
|
|||
# Makefile for Sphinx documentation
|
||||
#
|
||||
|
||||
# You can set these variables from the command line.
|
||||
SPHINXOPTS =
|
||||
SPHINXBUILD = sphinx-build
|
||||
PAPER =
|
||||
BUILDDIR = _build
|
||||
|
||||
# User-friendly check for sphinx-build
|
||||
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
|
||||
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
|
||||
endif
|
||||
|
||||
# Internal variables.
|
||||
PAPEROPT_a4 = -D latex_paper_size=a4
|
||||
PAPEROPT_letter = -D latex_paper_size=letter
|
||||
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
|
||||
# the i18n builder cannot share the environment and doctrees with the others
|
||||
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
|
||||
|
||||
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext
|
||||
|
||||
help:
|
||||
@echo "Please use \`make <target>' where <target> is one of"
|
||||
@echo " html to make standalone HTML files"
|
||||
@echo " dirhtml to make HTML files named index.html in directories"
|
||||
@echo " singlehtml to make a single large HTML file"
|
||||
@echo " pickle to make pickle files"
|
||||
@echo " json to make JSON files"
|
||||
@echo " htmlhelp to make HTML files and a HTML help project"
|
||||
@echo " qthelp to make HTML files and a qthelp project"
|
||||
@echo " applehelp to make an Apple Help Book"
|
||||
@echo " devhelp to make HTML files and a Devhelp project"
|
||||
@echo " epub to make an epub"
|
||||
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
|
||||
@echo " latexpdf to make LaTeX files and run them through pdflatex"
|
||||
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
|
||||
@echo " text to make text files"
|
||||
@echo " man to make manual pages"
|
||||
@echo " texinfo to make Texinfo files"
|
||||
@echo " info to make Texinfo files and run them through makeinfo"
|
||||
@echo " gettext to make PO message catalogs"
|
||||
@echo " changes to make an overview of all changed/added/deprecated items"
|
||||
@echo " xml to make Docutils-native XML files"
|
||||
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
|
||||
@echo " linkcheck to check all external links for integrity"
|
||||
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
|
||||
@echo " coverage to run coverage check of the documentation (if enabled)"
|
||||
|
||||
clean:
|
||||
rm -rf $(BUILDDIR)/*
|
||||
|
||||
html:
|
||||
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
||||
@echo
|
||||
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
|
||||
|
||||
dirhtml:
|
||||
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
|
||||
@echo
|
||||
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
|
||||
|
||||
singlehtml:
|
||||
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
|
||||
@echo
|
||||
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
|
||||
|
||||
pickle:
|
||||
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
|
||||
@echo
|
||||
@echo "Build finished; now you can process the pickle files."
|
||||
|
||||
json:
|
||||
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
|
||||
@echo
|
||||
@echo "Build finished; now you can process the JSON files."
|
||||
|
||||
htmlhelp:
|
||||
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
|
||||
@echo
|
||||
@echo "Build finished; now you can run HTML Help Workshop with the" \
|
||||
".hhp project file in $(BUILDDIR)/htmlhelp."
|
||||
|
||||
qthelp:
|
||||
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
|
||||
@echo
|
||||
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
|
||||
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
|
||||
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/SecurePeerNetworkingwithTINC.qhcp"
|
||||
@echo "To view the help file:"
|
||||
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/SecurePeerNetworkingwithTINC.qhc"
|
||||
|
||||
applehelp:
|
||||
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
|
||||
@echo
|
||||
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
|
||||
@echo "N.B. You won't be able to view it unless you put it in" \
|
||||
"~/Library/Documentation/Help or install it in your application" \
|
||||
"bundle."
|
||||
|
||||
devhelp:
|
||||
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
|
||||
@echo
|
||||
@echo "Build finished."
|
||||
@echo "To view the help file:"
|
||||
@echo "# mkdir -p $$HOME/.local/share/devhelp/SecurePeerNetworkingwithTINC"
|
||||
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/SecurePeerNetworkingwithTINC"
|
||||
@echo "# devhelp"
|
||||
|
||||
epub:
|
||||
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
|
||||
@echo
|
||||
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
|
||||
|
||||
latex:
|
||||
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||
@echo
|
||||
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
|
||||
@echo "Run \`make' in that directory to run these through (pdf)latex" \
|
||||
"(use \`make latexpdf' here to do that automatically)."
|
||||
|
||||
latexpdf:
|
||||
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||
@echo "Running LaTeX files through pdflatex..."
|
||||
$(MAKE) -C $(BUILDDIR)/latex all-pdf
|
||||
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||
|
||||
latexpdfja:
|
||||
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||
@echo "Running LaTeX files through platex and dvipdfmx..."
|
||||
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
|
||||
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||
|
||||
text:
|
||||
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
|
||||
@echo
|
||||
@echo "Build finished. The text files are in $(BUILDDIR)/text."
|
||||
|
||||
man:
|
||||
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
|
||||
@echo
|
||||
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
|
||||
|
||||
texinfo:
|
||||
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||
@echo
|
||||
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
|
||||
@echo "Run \`make' in that directory to run these through makeinfo" \
|
||||
"(use \`make info' here to do that automatically)."
|
||||
|
||||
info:
|
||||
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||
@echo "Running Texinfo files through makeinfo..."
|
||||
make -C $(BUILDDIR)/texinfo info
|
||||
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
|
||||
|
||||
gettext:
|
||||
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
|
||||
@echo
|
||||
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
|
||||
|
||||
changes:
|
||||
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
|
||||
@echo
|
||||
@echo "The overview file is in $(BUILDDIR)/changes."
|
||||
|
||||
linkcheck:
|
||||
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
|
||||
@echo
|
||||
@echo "Link check complete; look for any errors in the above output " \
|
||||
"or in $(BUILDDIR)/linkcheck/output.txt."
|
||||
|
||||
doctest:
|
||||
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
|
||||
@echo "Testing of doctests in the sources finished, look at the " \
|
||||
"results in $(BUILDDIR)/doctest/output.txt."
|
||||
|
||||
coverage:
|
||||
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
|
||||
@echo "Testing of coverage in the sources finished, look at the " \
|
||||
"results in $(BUILDDIR)/coverage/python.txt."
|
||||
|
||||
xml:
|
||||
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
|
||||
@echo
|
||||
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
|
||||
|
||||
pseudoxml:
|
||||
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
|
||||
@echo
|
||||
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
|
||||
|
||||
|
||||
slides:
|
||||
$(SPHINXBUILD) -b slides $(ALLSPHINXOPTS) $(BUILDDIR)/slides
|
||||
@echo "Build finished. The HTML slides are in $(BUILDDIR)/slides."
|
||||
|
686
README.rst
|
@ -1,28 +1,672 @@
|
|||
Publications Repository
|
||||
=======================
|
||||
|
||||
Each publication should get its own branch and is a living document.
|
||||
.. Secure Peer Networking with TINC slides file, created by
|
||||
hieroglyph-quickstart on Sun Nov 15 21:40:13 2015.
|
||||
|
||||
In order to create a new slide deck, create your branch from the
|
||||
presentation template. See the `template README
|
||||
<https://git.openstack.org/cgit/openstack-infra/publications/tree/README.rst?h=template>`_
|
||||
for step by step instructions on this process.
|
||||
|
||||
Note that each branch should have a README.rst file where the first line
|
||||
is the title of the presentation.
|
||||
===================================
|
||||
Better Together: Puppet and Ansible
|
||||
===================================
|
||||
|
||||
Each time a publication is presented or published, the branch should
|
||||
be tagged (with a signed, annotated tag). The first line of the tag
|
||||
message should be the title of the event or publication, and the tag
|
||||
itself should be in the format "year-venue-publication". For example,
|
||||
if the presentation "overview" was given at LinuxCon North America
|
||||
2013, you might tag it with:
|
||||
.. figure:: _static/config_mgmt_camp_logo.png
|
||||
:align: left
|
||||
:width: 300px
|
||||
|
||||
Spencer Krum, IBM
|
||||
|
||||
Feb 2, 2016
|
||||
|
||||
@nibalizer
|
||||
|
||||
http://spencerkrum.com
|
||||
https://git.openstack.org/cgit/openstack-infra/publications
|
||||
|
||||
.. note::
|
||||
|
||||
* Who am I
|
||||
* What do I work on
|
||||
* github
|
||||
|
||||
|
||||
Portland
|
||||
========
|
||||
|
||||
.. figure:: _static/mt_hood.jpg
|
||||
:align: center
|
||||
|
||||
|
||||
Other People
|
||||
============
|
||||
|
||||
* OpenStack Infra Team
|
||||
* Jim Blair
|
||||
* Monty Taylor
|
||||
* Colleen Murphy
|
||||
* Hunter Haugen
|
||||
* Many More
|
||||
|
||||
.. note::
|
||||
|
||||
* Team effort
|
||||
|
||||
Agenda
|
||||
======
|
||||
|
||||
* Introduction
|
||||
* Describe OpenStack Infra Team and Infrastructure
|
||||
* Describe Puppet use
|
||||
* Describe Ansible use
|
||||
* Describe the Ansible-Puppet collaboration
|
||||
|
||||
|
||||
OpenStack Infrastructure
|
||||
========================
|
||||
|
||||
* General Overview
|
||||
|
||||
.. note::
|
||||
* OpenStack is software
|
||||
* We test it
|
||||
* 20k tests a day at peak times
|
||||
* Jobs, test, integration, docs, release, translate
|
||||
|
||||
History
|
||||
=======
|
||||
|
||||
* Started 5 years ago
|
||||
* Open Source
|
||||
|
||||
.. note::
|
||||
* pleia jim/monty sitck figures
|
||||
* pre ansible (python shop)
|
||||
* tried chef, hard
|
||||
* went with puppet
|
||||
* Heavy CI/CD culture, everything goes through git, delpoy - grafana
|
||||
|
||||
Primary Services
|
||||
================
|
||||
|
||||
* Code Review (gerrit)
|
||||
* CI (zomg complexity)
|
||||
* Code hosting (haproxy/cgit farm)
|
||||
* Mailing lists(mailman)
|
||||
|
||||
.. note::
|
||||
* These are the things that we really need to be up
|
||||
* Our CI system is home grown and awesome
|
||||
|
||||
Secondary Services
|
||||
==================
|
||||
|
||||
* wiki
|
||||
* ask.openstack.org
|
||||
* mailing lists
|
||||
* afs/kerberos
|
||||
* irc bots
|
||||
* paste
|
||||
* etherpad
|
||||
* elk
|
||||
* zanata
|
||||
* graphite/grafana/grafyaml
|
||||
|
||||
.. note::
|
||||
* These are the things that got set up
|
||||
* Lot of community involvment here
|
||||
|
||||
|
||||
Codesearch
|
||||
==========
|
||||
|
||||
.. figure:: _static/codesearch.png
|
||||
:align: center
|
||||
|
||||
* http://codesearch.openstack.org
|
||||
|
||||
.. note::
|
||||
* codesearch.openstack.org
|
||||
* hound from etsy
|
||||
* deployed by outreachy intern
|
||||
* use our puppet module!
|
||||
* wicked fast
|
||||
|
||||
Basics
|
||||
======
|
||||
|
||||
* 30 'pets'
|
||||
* 12 x jenkins masters
|
||||
* 20 x package mirrors
|
||||
* 8 x git mirrors
|
||||
* ~30 elk cluster
|
||||
* infinity test vms
|
||||
|
||||
.. note::
|
||||
* These are the things that got set up
|
||||
* Lot of community involvment here
|
||||
|
||||
Basics
|
||||
======
|
||||
|
||||
* All infrastructure runs on OpenStack clouds
|
||||
* Clouds donated by companies <3
|
||||
* Rackspace and HPCloud at first
|
||||
* Now involving BlueBox, OVH, Internap and more
|
||||
|
||||
.. note::
|
||||
* Maybe yours
|
||||
* HP has donated a blob of physical gear which we are clouding
|
||||
* Run our services on the public internet
|
||||
|
||||
|
||||
Mgmt
|
||||
====
|
||||
|
||||
* Precise, Trusty, Centos 7
|
||||
* Puppet for config mgmt
|
||||
* Ansible for orchestration
|
||||
* Disk-image-builder for image builds
|
||||
* snmp + cacti for metrics
|
||||
* puppetboard for visibility
|
||||
|
||||
|
||||
.. note::
|
||||
* Precise, trusty, centos 7
|
||||
* Centos 6 was killed
|
||||
* Puppet does all configuration of everything, services, files, templates, packages
|
||||
|
||||
Puppet circa 2014
|
||||
=================
|
||||
|
||||
* 2.7 Master
|
||||
* Passenger
|
||||
* Generated certs, w/ push
|
||||
* CI/CD
|
||||
* install_modules.sh
|
||||
* puppet-lint test
|
||||
* some public modules
|
||||
* single puppet repo
|
||||
|
||||
.. note::
|
||||
* Single puppetmaster
|
||||
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
|
||||
* near-perfect cd
|
||||
* install_modules.sh was sortof r10kish
|
||||
* public modules were all really old versions
|
||||
* public internet, rouge puppet certs
|
||||
|
||||
|
||||
Example of where we were at
|
||||
==========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
if [ -n "$NODEPOOL_SSH_KEY" ] ; then
|
||||
puppet_install_users="install_users => false,
|
||||
ssh_key => '$NODEPOOL_SSH_KEY',"
|
||||
else
|
||||
puppet_install_users=""
|
||||
fi
|
||||
|
||||
cat >/tmp/local.pp <<EOF
|
||||
class {'openstack_project::single_use_slave':
|
||||
sudo => $SUDO,
|
||||
thin => $THIN,
|
||||
install_resolv_conf => false,
|
||||
$puppet_install_users
|
||||
}
|
||||
EOF
|
||||
|
||||
puppet apply /tmp/local.pp
|
||||
|
||||
.. note::
|
||||
* Some but not all of the terribleness has been preserved
|
||||
* run this in prod
|
||||
|
||||
Example of where we were at
|
||||
==========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
# upstream is currently looking for /run/systemd files to check
|
||||
# for systemd. This fails in a chroot where /run isn't mounted
|
||||
# (like when using dib). Comment out this confine as fedora
|
||||
# always has systemd
|
||||
# see
|
||||
# https://github.com/puppetlabs/puppet/pull/4481
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1254616
|
||||
sudo sed -i.bak \
|
||||
'/^[^#].*/ s|\(^.*confine :exists => \"/run/systemd/system\".*$\)|#\ \1|' \
|
||||
/usr/share/ruby/vendor_ruby/puppet/provider/service/systemd.rb
|
||||
|
||||
.. note::
|
||||
* Puppet 4 on f23
|
||||
* A user level patch to software that was patched before being packaged
|
||||
|
||||
|
||||
Upgrades to the puppet setup
|
||||
============================
|
||||
|
||||
* 3.x
|
||||
* PuppetDB + PuppetBoard
|
||||
* Modules split out
|
||||
* Started using newer public modules
|
||||
* Upgraded apache
|
||||
|
||||
.. note::
|
||||
* 3.x happened right as 2.7 Eol'd for the last time
|
||||
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
|
||||
* near-perfect cd
|
||||
* install_modules.sh was sortof r10kish
|
||||
* public modules were all really old versions
|
||||
|
||||
Upgrades to the puppet setup: Apply test
|
||||
========================================
|
||||
|
||||
* Apply test http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
file=$1
|
||||
fileout=${file}.out
|
||||
echo "##" > $fileout
|
||||
cat $file > $fileout
|
||||
sudo puppet apply --noop --verbose --debug $file >/dev/null 2>> $fileout
|
||||
ret=$?
|
||||
cat $fileout
|
||||
exit $ret
|
||||
|
||||
.. note::
|
||||
* 3.x happened right as 2.7 Eol'd for the last time
|
||||
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
|
||||
* near-perfect cd
|
||||
* install_modules.sh was sortof r10kish
|
||||
* public modules were all really old versions
|
||||
|
||||
Upgrades to the puppet setup: OpenStackCI
|
||||
=========================================
|
||||
|
||||
* Control Repo Indirector
|
||||
* Puppet module
|
||||
|
||||
.. note::
|
||||
* Open Source when you release
|
||||
* Open source when you get users
|
||||
* Wraps Daemons and configuration
|
||||
* All-in-one node deployment
|
||||
|
||||
|
||||
Upgrades to the puppet setup: Public Hiera
|
||||
==========================================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit 1624692402d2148ab7d6dd9e5642fb0b34ec7209
|
||||
Author: Spencer Krum <nibz@spencerkrum.com>
|
||||
Date: Fri Apr 24 08:36:46 2015 -0700
|
||||
|
||||
Convert hiera configuration to support public data
|
||||
|
||||
This moves the hiera root under /opt/system-config so it can reach
|
||||
into both private and public hiera directories. This implies that
|
||||
hiera data will live in a hiera/ directory in system-config.
|
||||
|
||||
Manual: This requires a manual change to the puppetmaster system. A
|
||||
rooter must move /etc/puppet/hieradata to /opt/system-config/hieradata
|
||||
|
||||
Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/public_hiera.html
|
||||
|
||||
Change-Id: I1736759ee9ac7cd0c206538ed0a2f6d0d71ea440
|
||||
|
||||
|
||||
.. note::
|
||||
* Split Data from code
|
||||
* Increase visibility
|
||||
* Reduces merge conflicts
|
||||
|
||||
|
||||
Need basic orchestration
|
||||
========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit b55ed05a274e5da40b567ad127a3d1c5808e48c6
|
||||
Author: Monty Taylor <mordred@inaugust.com>
|
||||
Date: Mon Mar 17 04:01:33 2014 -0400
|
||||
|
||||
Drive puppet from the master over ssh
|
||||
|
||||
We'd like to be able to control sequencing of how and when puppet
|
||||
runs across our machines. Currently, it's just a set of agents
|
||||
that run kinda whenever they run. At times they hang and we don't
|
||||
know about it. Also, cross-server sequencing is impossible to
|
||||
achieve.
|
||||
|
||||
Change the operation away from agents running on the machine as
|
||||
daemons, and instead ssh from the master to each machine.
|
||||
|
||||
Change-Id: I76e41e63c6d0825e8735c484ba4580d545515e43
|
||||
|
||||
.. note::
|
||||
* /opt/config/production/run_all.sh
|
||||
* 'override hosts'
|
||||
* gave us limited Do X before Y
|
||||
* create repos in git slaves before creating them in the git master
|
||||
* replication in the git-master is a bit derpy
|
||||
* "this allows creation of git repos on the git slaves before creation of the master repos on the gerrit server"
|
||||
|
||||
|
||||
Need basic orchestration
|
||||
========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
|
||||
Author: Monty Taylor <mordred@inaugust.com>
|
||||
Date: Tue Apr 15 17:41:45 2014 -0700
|
||||
|
||||
Use ansible instead of direct ssh calls
|
||||
|
||||
Instead of a shell script looping over ssh calls, use a simple
|
||||
ansible playbook. The benefit this gets is that we can then also
|
||||
script ad-hoc admin tasks either via playbooks or on the command
|
||||
line. We can also then get rid of the almost entirely unused
|
||||
salt infrastructure.
|
||||
|
||||
Change-Id: I53112bd1f61d94c0521a32016c8a47c8cf9e50f7
|
||||
|
||||
.. note::
|
||||
* Yes there was a ancient salt infra crusting
|
||||
|
||||
|
||||
Puppet Inventory
|
||||
================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
import json
|
||||
import subprocess
|
||||
|
||||
output = [
|
||||
x.split()[1][1:-1] for x in subprocess.check_output(
|
||||
["puppet","cert","list","-a"]).split('\n')
|
||||
if x.startswith('+')
|
||||
]
|
||||
|
||||
data = {
|
||||
'_meta': {'hostvars': dict()},
|
||||
'ungrouped': output,
|
||||
}
|
||||
print json.dumps(data, sort_keys=True, indent=2)
|
||||
|
||||
|
||||
.. note::
|
||||
* Ansible dynamic inventory
|
||||
* Reads puppet cert --list --all
|
||||
|
||||
|
||||
|
||||
OpenStack Inventory
|
||||
===================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit 714c934d0c57ed4c4ce653c0bb603071fc3dbff6
|
||||
Author: Monty Taylor <mordred@inaugust.com>
|
||||
Date: Wed Nov 25 11:36:30 2015 -0500
|
||||
|
||||
Use OpenStack for inventory instead of puppet
|
||||
|
||||
With the puppetmaster not there anymore, we should consume inventory
|
||||
from OpenStack rather than from puppet.
|
||||
|
||||
It turns out that because of the way static and dynamic inventories get
|
||||
merged, the static file needs to stand alone. SO - if you need to
|
||||
disable a dynamic host from OpenStack (pretty much all of our hosts) you
|
||||
need to not only add it to dynamic:children, you need to add an emtpy
|
||||
group into the static file too, otherwise you'll get an error like:
|
||||
|
||||
root@puppetmaster:~# ansible -i newinv '!disabled' --list-hosts
|
||||
ERROR: newinv/static:4: child group is not defined: (jenkins-dev.openstack.org)
|
||||
|
||||
Change-Id: Ic6809ed0b7014d7aebd414bf3a342e3a37eb10b6
|
||||
|
||||
.. note::
|
||||
* Ansible 2.0 released
|
||||
* Uses shade, a library we wrote
|
||||
* This inventory file lives in ansible/contrib
|
||||
* Start a really fucking annoying process of getting us the ability to disable a host temporarily
|
||||
|
||||
|
||||
Ansible group membership
|
||||
========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
jenkins jenkins*.openstack.org
|
||||
logstash-worker ~logstash-worker\d+\.openstack\.org
|
||||
subunit-worker ~subunit-worker\d+\.openstack\.org
|
||||
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
|
||||
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
|
||||
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
|
||||
git-server ~git\d+\.openstack\.org
|
||||
pypi pypi.*.openstack.org
|
||||
afsdb afsdb*.openstack.org
|
||||
afs afs*.*.openstack.org
|
||||
|
||||
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
|
||||
|
||||
|
||||
|
||||
Ansible's Role
|
||||
==============
|
||||
|
||||
* Ad hoc
|
||||
* Jenkins 'Maintenance'
|
||||
* Upgrades (see references)
|
||||
* Puppet Runs
|
||||
|
||||
|
||||
.. note::
|
||||
* get it?
|
||||
* Upgraded our elasticsearch cluster using ansible, through code review
|
||||
|
||||
|
||||
Jenkins Maintenance
|
||||
===================
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
---
|
||||
- hosts: 'jenkins0*.openstack.org'
|
||||
# Do the entire play completely for one host at a time
|
||||
serial: 1
|
||||
# Treat any errors as fatal so that we don't stop all the jenkins
|
||||
# masters.
|
||||
any_errors_fatal: true
|
||||
tasks:
|
||||
- shell: '/usr/local/jenkins/bin/safe_jenkins_shutdown --url https://{{ ansible_fqdn }}/ --user {{ user }} --password {{ password }}'
|
||||
- service: name=jenkins state=stopped
|
||||
# This is necessary because stopping Jenkins is not reliable.
|
||||
# We allow return code 1 which means no processes found.
|
||||
- shell: 'pkill -9 -U jenkins || [ $? -eq "1" ]'
|
||||
- service: name=jenkins state=restarted
|
||||
|
||||
|
||||
|
||||
.. note::
|
||||
* On cron once a week
|
||||
* This, and all ansible runs, run from one host, the puppetmaster
|
||||
* Bastion model
|
||||
|
||||
|
||||
Run_all.sh
|
||||
==========
|
||||
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
cd $SYSTEM_CONFIG
|
||||
git fetch -a && git reset -q --hard @{u}
|
||||
./install_modules.sh
|
||||
ansible-galaxy install --force -r roles.yaml
|
||||
|
||||
# First, sync the puppet repos with all the machines
|
||||
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/update_puppet.yaml
|
||||
# Run the git/gerrit sequence, since it's important that they all work together
|
||||
ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
|
||||
# Run AFS changes separately so we can make sure to only do one at a time
|
||||
# (turns out quorum is nice to have)
|
||||
ansible-playbook -f 1 ${ANSIBLE_PLAYBOOKS}/remote_puppet_afs.yaml
|
||||
# Run everything else. We do not care if the other things worked
|
||||
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/remote_puppet_else.yaml
|
||||
|
||||
.. note::
|
||||
* Every 15 minutes by cron
|
||||
* Flocking in the cron, this can certainly take longer than 15 minutes
|
||||
* Think about this relatively infrequently -> CI
|
||||
|
||||
|
||||
Puppet + Ansible
|
||||
================
|
||||
|
||||
* Copy code
|
||||
* Copy secrets
|
||||
* Inject variables
|
||||
* Run puppet
|
||||
* Save report
|
||||
* Push to puppetdb
|
||||
|
||||
.. note::
|
||||
* no use of r10k or install_modules.sh
|
||||
* Code is rsyncd from the puppetmaster
|
||||
* Specific hiera files are pushed, this is controlled by ansible groups
|
||||
* Environment variables such as git refs are set using FACTER variables
|
||||
* puppet is run
|
||||
* report_file report processor runs, emits a json blob
|
||||
* json blob copied back to puppet master, curl'd at puppetdb
|
||||
|
||||
Copy code
|
||||
=========
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- block:
|
||||
- name: copy puppet modules
|
||||
synchronize:
|
||||
src: "{{ manifest_base }}/{{ puppet_environment }}"
|
||||
dest: "{{ manifest_base }}"
|
||||
|
||||
Copy secrets
|
||||
============
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- name: make file list
|
||||
puppet_get_hiera_file_list:
|
||||
fqdn: "{{ ansible_fqdn }}"
|
||||
groups: "{{ hostvars[inventory_hostname].group_names }}"
|
||||
location: "{{ hieradata }}/{{ puppet_environment }}"
|
||||
delegate_to: localhost
|
||||
register: hiera_file_paths
|
||||
|
||||
- name: copy hiera files
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ item }}"
|
||||
mode: 0600
|
||||
with_items: hiera_file_paths.paths|default()
|
||||
|
||||
|
||||
Run Puppet
|
||||
==========
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- name: run puppet
|
||||
puppet:
|
||||
puppetmaster: "{{ puppetmaster|default(omit) }}"
|
||||
manifest: "{{ manifest|default(omit) }}"
|
||||
show_diff: "{{ show_diff|default(false) }}"
|
||||
facts: "{{ facts|default(omit) }}"
|
||||
facter_basename: "{{ facter_basename|default(omit) }}"
|
||||
|
||||
|
||||
Post report and facts to puppetdb
|
||||
==================================
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- name: fetch file
|
||||
synchronize:
|
||||
mode: pull
|
||||
src: "{{ puppet_logfile }}"
|
||||
dest: /var/lib/puppet/reports/{{ ansible_fqdn }}
|
||||
|
||||
- name: post facts
|
||||
puppet_post_puppetdb:
|
||||
puppetdb: "{{ puppetdb }}"
|
||||
hostvars: "{{ hostvars[inventory_hostname] }}"
|
||||
logfile: "{{ puppet_logfile }}"
|
||||
whoami: "{{ ansible_fqdn }}"
|
||||
delegate_to: localhost
|
||||
connection: local
|
||||
|
||||
|
||||
PuppetBoard
|
||||
===========
|
||||
|
||||
|
||||
.. figure:: _static/puppetboard.png
|
||||
:align: center
|
||||
|
||||
|
||||
Next Steps
|
||||
==========
|
||||
|
||||
* Shore up the puppetdb integration, has some bugs
|
||||
* Move launch_node.py into ansible
|
||||
* Remove puppet agent dependency for launch_node.py, disable puppetmaster service
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
* All infra repos: http://git.openstack.org/cgit/openstack-infra/
|
||||
* Main Control repo: http://git.openstack.org/cgit/openstack-infra/system-config
|
||||
* ansible-puppet role: http://git.openstack.org/cgit/openstack-infra/system-config
|
||||
* Apply test: http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
|
||||
* OpenStack CI http://docs.openstack.org/infra/openstackci/
|
||||
* Diskimage-Builder http://docs.openstack.org/developer/diskimage-builder/
|
||||
|
||||
References (cont)
|
||||
=================
|
||||
|
||||
* ELK Upgrade Playbook: https://review.openstack.org/#/c/238185/
|
||||
* Ansible puppetdb glue: http://git.openstack.org/cgit/openstack-infra/ansible-puppet/tree/library/puppet_post_puppetdb
|
||||
* Json puppet report processor: http://git.openstack.org/cgit/openstack-infra/system-config/tree/modules/openstack_project/lib/puppet/reports/puppetdb_file.rb
|
||||
|
||||
References: shas
|
||||
================
|
||||
|
||||
* Drive puppet from ssh: edaa31ebbda09fb03baf1d18b64f5fa996188745
|
||||
* Move from ssh to ansible: 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
|
||||
* Public hiera: 1624692402d2148ab7d6dd9e5642fb0b34ec7209
|
||||
|
||||
|
||||
|
||||
Thank You
|
||||
=========
|
||||
|
||||
.. figure:: _static/spencer_face.jpg
|
||||
:align: left
|
||||
|
||||
Spencer Krum
|
||||
|
||||
IBM
|
||||
|
||||
@nibalizer
|
||||
|
||||
nibz@spencerkrum.com
|
||||
|
||||
https://git.openstack.org/cgit/openstack-infra/publications
|
||||
|
||||
git tag -s -m "LinuxCon North America, 2013" 2013-linuxcon_na-overview
|
||||
|
||||
The 'make-index' script will create an index page based on index.html,
|
||||
and all current branches and tags in the repo and their README.rst
|
||||
files.
|
||||
|
||||
Viewable publications are published to:
|
||||
http://docs.openstack.org/infra/publications
|
||||
|
|
After Width: | Height: | Size: 51 KiB |
After Width: | Height: | Size: 51 KiB |
After Width: | Height: | Size: 19 KiB |
After Width: | Height: | Size: 46 KiB |
After Width: | Height: | Size: 42 KiB |
After Width: | Height: | Size: 38 KiB |
After Width: | Height: | Size: 48 KiB |
After Width: | Height: | Size: 28 KiB |
|
@ -0,0 +1,317 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Avisory Third Party CI documentation build configuration file, created by
|
||||
# sphinx-quickstart on Sun Nov 15 21:40:13 2015.
|
||||
#
|
||||
# This file is execfile()d with the current directory set to its
|
||||
# containing dir.
|
||||
#
|
||||
# Note that not all possible configuration values are present in this
|
||||
# autogenerated file.
|
||||
#
|
||||
# All configuration values have a default; values that are commented out
|
||||
# serve to show the default.
|
||||
|
||||
import sys
|
||||
import os
|
||||
import shlex
|
||||
|
||||
# If extensions (or modules to document with autodoc) are in another directory,
|
||||
# add these directories to sys.path here. If the directory is relative to the
|
||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||
#sys.path.insert(0, os.path.abspath('.'))
|
||||
|
||||
# -- General configuration ------------------------------------------------
|
||||
|
||||
# If your documentation needs a minimal Sphinx version, state it here.
|
||||
#needs_sphinx = '1.0'
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be
|
||||
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
|
||||
# ones.
|
||||
extensions = [
|
||||
'sphinx.ext.doctest',
|
||||
'sphinx.ext.intersphinx',
|
||||
'sphinx.ext.todo',
|
||||
'sphinx.ext.coverage',
|
||||
'sphinx.ext.pngmath',
|
||||
'sphinx.ext.ifconfig',
|
||||
]
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['_templates']
|
||||
|
||||
# The suffix(es) of source filenames.
|
||||
# You can specify multiple suffix as a list of string:
|
||||
# source_suffix = ['.rst', '.md']
|
||||
source_suffix = '.rst'
|
||||
|
||||
# The encoding of source files.
|
||||
#source_encoding = 'utf-8-sig'
|
||||
|
||||
# The master toctree document.
|
||||
master_doc = 'index'
|
||||
|
||||
# General information about the project.
|
||||
project = u'Advisory Third Party CI'
|
||||
copyright = u'2016, Spencer Krum'
|
||||
author = u'Spencer Krum'
|
||||
|
||||
# The version info for the project you're documenting, acts as replacement for
|
||||
# |version| and |release|, also used in various other places throughout the
|
||||
# built documents.
|
||||
#
|
||||
# The short X.Y version.
|
||||
version = '2016.01.01'
|
||||
# The full version, including alpha/beta/rc tags.
|
||||
release = '2016.01.01'
|
||||
|
||||
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||
# for a list of supported languages.
|
||||
#
|
||||
# This is also used if you do content translation via gettext catalogs.
|
||||
# Usually you set "language" from the command line for these cases.
|
||||
language = None
|
||||
|
||||
# There are two options for replacing |today|: either, you set today to some
|
||||
# non-false value, then it is used:
|
||||
#today = ''
|
||||
# Else, today_fmt is used as the format for a strftime call.
|
||||
#today_fmt = '%B %d, %Y'
|
||||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
exclude_patterns = ['_build']
|
||||
|
||||
# The reST default role (used for this markup: `text`) to use for all
|
||||
# documents.
|
||||
#default_role = None
|
||||
|
||||
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||
#add_function_parentheses = True
|
||||
|
||||
# If true, the current module name will be prepended to all description
|
||||
# unit titles (such as .. function::).
|
||||
#add_module_names = True
|
||||
|
||||
# If true, sectionauthor and moduleauthor directives will be shown in the
|
||||
# output. They are ignored by default.
|
||||
#show_authors = False
|
||||
|
||||
# The name of the Pygments (syntax highlighting) style to use.
|
||||
pygments_style = 'sphinx'
|
||||
|
||||
# A list of ignored prefixes for module index sorting.
|
||||
#modindex_common_prefix = []
|
||||
|
||||
# If true, keep warnings as "system message" paragraphs in the built documents.
|
||||
#keep_warnings = False
|
||||
|
||||
# If true, `todo` and `todoList` produce output, else they produce nothing.
|
||||
todo_include_todos = True
|
||||
|
||||
|
||||
# -- Options for HTML output ----------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
html_theme = 'alabaster'
|
||||
|
||||
# Theme options are theme-specific and customize the look and feel of a theme
|
||||
# further. For a list of options available for each theme, see the
|
||||
# documentation.
|
||||
#html_theme_options = {}
|
||||
|
||||
# Add any paths that contain custom themes here, relative to this directory.
|
||||
#html_theme_path = []
|
||||
|
||||
# The name for this set of Sphinx documents. If None, it defaults to
|
||||
# "<project> v<release> documentation".
|
||||
#html_title = None
|
||||
|
||||
# A shorter title for the navigation bar. Default is the same as html_title.
|
||||
#html_short_title = None
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top
|
||||
# of the sidebar.
|
||||
#html_logo = None
|
||||
|
||||
# The name of an image file (within the static path) to use as favicon of the
|
||||
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
|
||||
# pixels large.
|
||||
#html_favicon = None
|
||||
|
||||
# Add any paths that contain custom static files (such as style sheets) here,
|
||||
# relative to this directory. They are copied after the builtin static files,
|
||||
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||
html_static_path = ['_static']
|
||||
|
||||
# Add any extra paths that contain custom files (such as robots.txt or
|
||||
# .htaccess) here, relative to this directory. These files are copied
|
||||
# directly to the root of the documentation.
|
||||
#html_extra_path = []
|
||||
|
||||
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||
# using the given strftime format.
|
||||
#html_last_updated_fmt = '%b %d, %Y'
|
||||
|
||||
# If true, SmartyPants will be used to convert quotes and dashes to
|
||||
# typographically correct entities.
|
||||
#html_use_smartypants = True
|
||||
|
||||
# Custom sidebar templates, maps document names to template names.
|
||||
#html_sidebars = {}
|
||||
|
||||
# Additional templates that should be rendered to pages, maps page names to
|
||||
# template names.
|
||||
#html_additional_pages = {}
|
||||
|
||||
# If false, no module index is generated.
|
||||
#html_domain_indices = True
|
||||
|
||||
# If false, no index is generated.
|
||||
#html_use_index = True
|
||||
|
||||
# If true, the index is split into individual pages for each letter.
|
||||
#html_split_index = False
|
||||
|
||||
# If true, links to the reST sources are added to the pages.
|
||||
#html_show_sourcelink = True
|
||||
|
||||
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||
#html_show_sphinx = True
|
||||
|
||||
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||
#html_show_copyright = True
|
||||
|
||||
# If true, an OpenSearch description file will be output, and all pages will
|
||||
# contain a <link> tag referring to it. The value of this option must be the
|
||||
# base URL from which the finished HTML is served.
|
||||
#html_use_opensearch = ''
|
||||
|
||||
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||
#html_file_suffix = None
|
||||
|
||||
# Language to be used for generating the HTML full-text search index.
|
||||
# Sphinx supports the following languages:
|
||||
# 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja'
|
||||
# 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr'
|
||||
#html_search_language = 'en'
|
||||
|
||||
# A dictionary with options for the search language support, empty by default.
|
||||
# Now only 'ja' uses this config value
|
||||
#html_search_options = {'type': 'default'}
|
||||
|
||||
# The name of a javascript file (relative to the configuration directory) that
|
||||
# implements a search results scorer. If empty, the default will be used.
|
||||
#html_search_scorer = 'scorer.js'
|
||||
|
||||
# Output file base name for HTML help builder.
|
||||
htmlhelp_basename = 'SecurePeerNetworkingwithTINCdoc'
|
||||
|
||||
# -- Options for LaTeX output ---------------------------------------------
|
||||
|
||||
latex_elements = {
|
||||
# The paper size ('letterpaper' or 'a4paper').
|
||||
#'papersize': 'letterpaper',
|
||||
|
||||
# The font size ('10pt', '11pt' or '12pt').
|
||||
#'pointsize': '10pt',
|
||||
|
||||
# Additional stuff for the LaTeX preamble.
|
||||
#'preamble': '',
|
||||
|
||||
# Latex figure (float) alignment
|
||||
#'figure_align': 'htbp',
|
||||
}
|
||||
|
||||
# Grouping the document tree into LaTeX files. List of tuples
|
||||
# (source start file, target name, title,
|
||||
# author, documentclass [howto, manual, or own class]).
|
||||
latex_documents = [
|
||||
(master_doc, 'SecurePeerNetworkingwithTINC.tex', u'Secure Peer Networking with TINC Documentation',
|
||||
u'Ben Kero', 'manual'),
|
||||
]
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top of
|
||||
# the title page.
|
||||
#latex_logo = None
|
||||
|
||||
# For "manual" documents, if this is true, then toplevel headings are parts,
|
||||
# not chapters.
|
||||
#latex_use_parts = False
|
||||
|
||||
# If true, show page references after internal links.
|
||||
#latex_show_pagerefs = False
|
||||
|
||||
# If true, show URL addresses after external links.
|
||||
#latex_show_urls = False
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
#latex_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
#latex_domain_indices = True
|
||||
|
||||
|
||||
# -- Options for manual page output ---------------------------------------
|
||||
|
||||
# One entry per manual page. List of tuples
|
||||
# (source start file, name, description, authors, manual section).
|
||||
man_pages = [
|
||||
(master_doc, 'securepeernetworkingwithtinc', u'Secure Peer Networking with TINC Documentation',
|
||||
[author], 1)
|
||||
]
|
||||
|
||||
# If true, show URL addresses after external links.
|
||||
#man_show_urls = False
|
||||
|
||||
|
||||
# -- Options for Texinfo output -------------------------------------------
|
||||
|
||||
# Grouping the document tree into Texinfo files. List of tuples
|
||||
# (source start file, target name, title, author,
|
||||
# dir menu entry, description, category)
|
||||
texinfo_documents = [
|
||||
(master_doc, 'SecurePeerNetworkingwithTINC', u'Secure Peer Networking with TINC Documentation',
|
||||
author, 'SecurePeerNetworkingwithTINC', 'One line description of project.',
|
||||
'Miscellaneous'),
|
||||
]
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
#texinfo_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
#texinfo_domain_indices = True
|
||||
|
||||
# How to display URL addresses: 'footnote', 'no', or 'inline'.
|
||||
#texinfo_show_urls = 'footnote'
|
||||
|
||||
# If true, do not generate a @detailmenu in the "Top" node's menu.
|
||||
#texinfo_no_detailmenu = False
|
||||
|
||||
|
||||
# -- Hieroglyph Slide Configuration ------------
|
||||
|
||||
extensions += [
|
||||
'hieroglyph',
|
||||
]
|
||||
|
||||
slide_title = 'Better Together'
|
||||
slide_theme = 'single-level'
|
||||
slide_levels = 3
|
||||
|
||||
# Place custom static assets in the _static directory and uncomment
|
||||
# the following lines to include them
|
||||
|
||||
# slide_theme_options = {
|
||||
# 'custom_css': 'custom.css',
|
||||
# 'custom_js': 'custom.js',
|
||||
# }
|
||||
|
||||
# ----------------------------------------------
|
||||
|
||||
|
||||
|
||||
# Example configuration for intersphinx: refer to the Python standard library.
|
||||
intersphinx_mapping = {'https://docs.python.org/': None}
|
99
index.html
|
@ -1,99 +0,0 @@
|
|||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>
|
||||
OpenStack Project Infrastructure Publications
|
||||
</title>
|
||||
<!-- Google Fonts -->
|
||||
<link href="http://fonts.googleapis.com/css?family=PT+Sans&subset=latin" rel="stylesheet" type="text/css"/>
|
||||
<!-- Framework CSS -->
|
||||
<link href="http://openstack.org/themes/openstack/css/blueprint/screen.css" media="screen, projection" rel="stylesheet" type="text/css"/>
|
||||
<link href="http://openstack.org/themes/openstack/css/blueprint/print.css" media="print" rel="stylesheet" type="text/css"/>
|
||||
<!--[if lt IE 8]><link rel="stylesheet" href="http://openstack.org/themes/openstack/css/blueprint/ie.css" type="text/css" media="screen, projection"><![endif]-->
|
||||
<!-- OpenStack Specific CSS -->
|
||||
<link href="http://openstack.org/themes/openstack/css/main.css" media="screen, projection, print" rel="stylesheet" type="text/css"/>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div id="header">
|
||||
<div class="span-5">
|
||||
<h1 id="logo">
|
||||
<a href="/">
|
||||
OpenStack
|
||||
</a>
|
||||
</h1>
|
||||
</div>
|
||||
<div class="span-19 last blueLine">
|
||||
<div class="span-19" id="navigation">
|
||||
<ul id="Menu1">
|
||||
<li>
|
||||
<a href="http://www.openstack.org/" title="Go to the OpenStack Home page">
|
||||
Home
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a class="link" href="http://www.openstack.org/software/" title="About OpenStack">
|
||||
About
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a class="link" href="http://www.openstack.org/user-stories/" title="Read stories about companies that use OpenStack to get work done.">
|
||||
User Stories
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a class="link" href="http://www.openstack.org/community/" title="Go to the OpenStack Community page">
|
||||
Community
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a class="link" href="http://www.openstack.org/profile/" title="Edit your OpenStack community profile">
|
||||
Profile
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="http://www.openstack.org/blog/" title="Go to the OpenStack Blog">
|
||||
Blog
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="http://wiki.openstack.org/" title="Go to the OpenStack Wiki">
|
||||
Wiki
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="http://docs.openstack.org/glossary/content/glossary.html" title="See definitions of OpenStack terms">
|
||||
Glossary
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a class="current" href="http://docs.openstack.org/" title="Go to the OpenStack Documentation">
|
||||
Documentation
|
||||
</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<!-- Page Content -->
|
||||
<div class="container">
|
||||
<h1>
|
||||
OpenStack Project Infrastructure Publications
|
||||
</h1>
|
||||
</div>
|
||||
<div class="container">
|
||||
<h2>
|
||||
Current Publications
|
||||
</h2>
|
||||
{current}
|
||||
</div>
|
||||
<br/>
|
||||
<div class="container">
|
||||
<h2>
|
||||
Previous Publications
|
||||
</h2>
|
||||
{previous}
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,672 @@
|
|||
|
||||
.. Secure Peer Networking with TINC slides file, created by
|
||||
hieroglyph-quickstart on Sun Nov 15 21:40:13 2015.
|
||||
|
||||
|
||||
===================================
|
||||
Better Together: Puppet and Ansible
|
||||
===================================
|
||||
|
||||
.. figure:: _static/config_mgmt_camp_logo.png
|
||||
:align: left
|
||||
:width: 300px
|
||||
|
||||
Spencer Krum, IBM
|
||||
|
||||
Feb 2, 2016
|
||||
|
||||
@nibalizer
|
||||
|
||||
http://spencerkrum.com
|
||||
https://git.openstack.org/cgit/openstack-infra/publications
|
||||
|
||||
.. note::
|
||||
|
||||
* Who am I
|
||||
* What do I work on
|
||||
* github
|
||||
|
||||
|
||||
Portland
|
||||
========
|
||||
|
||||
.. figure:: _static/mt_hood.jpg
|
||||
:align: center
|
||||
|
||||
|
||||
Other People
|
||||
============
|
||||
|
||||
* OpenStack Infra Team
|
||||
* Jim Blair
|
||||
* Monty Taylor
|
||||
* Colleen Murphy
|
||||
* Hunter Haugen
|
||||
* Many More
|
||||
|
||||
.. note::
|
||||
|
||||
* Team effort
|
||||
|
||||
Agenda
|
||||
======
|
||||
|
||||
* Introduction
|
||||
* Describe OpenStack Infra Team and Infrastructure
|
||||
* Describe Puppet use
|
||||
* Describe Ansible use
|
||||
* Describe the Ansible-Puppet collaboration
|
||||
|
||||
|
||||
OpenStack Infrastructure
|
||||
========================
|
||||
|
||||
* General Overview
|
||||
|
||||
.. note::
|
||||
* OpenStack is software
|
||||
* We test it
|
||||
* 20k tests a day at peak times
|
||||
* Jobs, test, integration, docs, release, translate
|
||||
|
||||
History
|
||||
=======
|
||||
|
||||
* Started 5 years ago
|
||||
* Open Source
|
||||
|
||||
.. note::
|
||||
* pleia jim/monty sitck figures
|
||||
* pre ansible (python shop)
|
||||
* tried chef, hard
|
||||
* went with puppet
|
||||
* Heavy CI/CD culture, everything goes through git, delpoy - grafana
|
||||
|
||||
Primary Services
|
||||
================
|
||||
|
||||
* Code Review (gerrit)
|
||||
* CI (zomg complexity)
|
||||
* Code hosting (haproxy/cgit farm)
|
||||
* Mailing lists(mailman)
|
||||
|
||||
.. note::
|
||||
* These are the things that we really need to be up
|
||||
* Our CI system is home grown and awesome
|
||||
|
||||
Secondary Services
|
||||
==================
|
||||
|
||||
* wiki
|
||||
* ask.openstack.org
|
||||
* mailing lists
|
||||
* afs/kerberos
|
||||
* irc bots
|
||||
* paste
|
||||
* etherpad
|
||||
* elk
|
||||
* zanata
|
||||
* graphite/grafana/grafyaml
|
||||
|
||||
.. note::
|
||||
* These are the things that got set up
|
||||
* Lot of community involvment here
|
||||
|
||||
|
||||
Codesearch
|
||||
==========
|
||||
|
||||
.. figure:: _static/codesearch.png
|
||||
:align: center
|
||||
|
||||
* http://codesearch.openstack.org
|
||||
|
||||
.. note::
|
||||
* codesearch.openstack.org
|
||||
* hound from etsy
|
||||
* deployed by outreachy intern
|
||||
* use our puppet module!
|
||||
* wicked fast
|
||||
|
||||
Basics
|
||||
======
|
||||
|
||||
* 30 'pets'
|
||||
* 12 x jenkins masters
|
||||
* 20 x package mirrors
|
||||
* 8 x git mirrors
|
||||
* ~30 elk cluster
|
||||
* infinity test vms
|
||||
|
||||
.. note::
|
||||
* These are the things that got set up
|
||||
* Lot of community involvment here
|
||||
|
||||
Basics
|
||||
======
|
||||
|
||||
* All infrastructure runs on OpenStack clouds
|
||||
* Clouds donated by companies <3
|
||||
* Rackspace and HPCloud at first
|
||||
* Now involving BlueBox, OVH, Internap and more
|
||||
|
||||
.. note::
|
||||
* Maybe yours
|
||||
* HP has donated a blob of physical gear which we are clouding
|
||||
* Run our services on the public internet
|
||||
|
||||
|
||||
Mgmt
|
||||
====
|
||||
|
||||
* Precise, Trusty, Centos 7
|
||||
* Puppet for config mgmt
|
||||
* Ansible for orchestration
|
||||
* Disk-image-builder for image builds
|
||||
* snmp + cacti for metrics
|
||||
* puppetboard for visibility
|
||||
|
||||
|
||||
.. note::
|
||||
* Precise, trusty, centos 7
|
||||
* Centos 6 was killed
|
||||
* Puppet does all configuration of everything, services, files, templates, packages
|
||||
|
||||
Puppet circa 2014
|
||||
=================
|
||||
|
||||
* 2.7 Master
|
||||
* Passenger
|
||||
* Generated certs, w/ push
|
||||
* CI/CD
|
||||
* install_modules.sh
|
||||
* puppet-lint test
|
||||
* some public modules
|
||||
* single puppet repo
|
||||
|
||||
.. note::
|
||||
* Single puppetmaster
|
||||
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
|
||||
* near-perfect cd
|
||||
* install_modules.sh was sortof r10kish
|
||||
* public modules were all really old versions
|
||||
* public internet, rouge puppet certs
|
||||
|
||||
|
||||
Example of where we were at
|
||||
==========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
if [ -n "$NODEPOOL_SSH_KEY" ] ; then
|
||||
puppet_install_users="install_users => false,
|
||||
ssh_key => '$NODEPOOL_SSH_KEY',"
|
||||
else
|
||||
puppet_install_users=""
|
||||
fi
|
||||
|
||||
cat >/tmp/local.pp <<EOF
|
||||
class {'openstack_project::single_use_slave':
|
||||
sudo => $SUDO,
|
||||
thin => $THIN,
|
||||
install_resolv_conf => false,
|
||||
$puppet_install_users
|
||||
}
|
||||
EOF
|
||||
|
||||
puppet apply /tmp/local.pp
|
||||
|
||||
.. note::
|
||||
* Some but not all of the terribleness has been preserved
|
||||
* run this in prod
|
||||
|
||||
Example of where we were at
|
||||
==========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
# upstream is currently looking for /run/systemd files to check
|
||||
# for systemd. This fails in a chroot where /run isn't mounted
|
||||
# (like when using dib). Comment out this confine as fedora
|
||||
# always has systemd
|
||||
# see
|
||||
# https://github.com/puppetlabs/puppet/pull/4481
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1254616
|
||||
sudo sed -i.bak \
|
||||
'/^[^#].*/ s|\(^.*confine :exists => \"/run/systemd/system\".*$\)|#\ \1|' \
|
||||
/usr/share/ruby/vendor_ruby/puppet/provider/service/systemd.rb
|
||||
|
||||
.. note::
|
||||
* Puppet 4 on f23
|
||||
* A user level patch to software that was patched before being packaged
|
||||
|
||||
|
||||
Upgrades to the puppet setup
|
||||
============================
|
||||
|
||||
* 3.x
|
||||
* PuppetDB + PuppetBoard
|
||||
* Modules split out
|
||||
* Started using newer public modules
|
||||
* Upgraded apache
|
||||
|
||||
.. note::
|
||||
* 3.x happened right as 2.7 Eol'd for the last time
|
||||
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
|
||||
* near-perfect cd
|
||||
* install_modules.sh was sortof r10kish
|
||||
* public modules were all really old versions
|
||||
|
||||
Upgrades to the puppet setup: Apply test
|
||||
========================================
|
||||
|
||||
* Apply test http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
file=$1
|
||||
fileout=${file}.out
|
||||
echo "##" > $fileout
|
||||
cat $file > $fileout
|
||||
sudo puppet apply --noop --verbose --debug $file >/dev/null 2>> $fileout
|
||||
ret=$?
|
||||
cat $fileout
|
||||
exit $ret
|
||||
|
||||
.. note::
|
||||
* 3.x happened right as 2.7 Eol'd for the last time
|
||||
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
|
||||
* near-perfect cd
|
||||
* install_modules.sh was sortof r10kish
|
||||
* public modules were all really old versions
|
||||
|
||||
Upgrades to the puppet setup: OpenStackCI
|
||||
=========================================
|
||||
|
||||
* Control Repo Indirector
|
||||
* Puppet module
|
||||
|
||||
.. note::
|
||||
* Open Source when you release
|
||||
* Open source when you get users
|
||||
* Wraps Daemons and configuration
|
||||
* All-in-one node deployment
|
||||
|
||||
|
||||
Upgrades to the puppet setup: Public Hiera
|
||||
==========================================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit 1624692402d2148ab7d6dd9e5642fb0b34ec7209
|
||||
Author: Spencer Krum <nibz@spencerkrum.com>
|
||||
Date: Fri Apr 24 08:36:46 2015 -0700
|
||||
|
||||
Convert hiera configuration to support public data
|
||||
|
||||
This moves the hiera root under /opt/system-config so it can reach
|
||||
into both private and public hiera directories. This implies that
|
||||
hiera data will live in a hiera/ directory in system-config.
|
||||
|
||||
Manual: This requires a manual change to the puppetmaster system. A
|
||||
rooter must move /etc/puppet/hieradata to /opt/system-config/hieradata
|
||||
|
||||
Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/public_hiera.html
|
||||
|
||||
Change-Id: I1736759ee9ac7cd0c206538ed0a2f6d0d71ea440
|
||||
|
||||
|
||||
.. note::
|
||||
* Split Data from code
|
||||
* Increase visibility
|
||||
* Reduces merge conflicts
|
||||
|
||||
|
||||
Need basic orchestration
|
||||
========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit b55ed05a274e5da40b567ad127a3d1c5808e48c6
|
||||
Author: Monty Taylor <mordred@inaugust.com>
|
||||
Date: Mon Mar 17 04:01:33 2014 -0400
|
||||
|
||||
Drive puppet from the master over ssh
|
||||
|
||||
We'd like to be able to control sequencing of how and when puppet
|
||||
runs across our machines. Currently, it's just a set of agents
|
||||
that run kinda whenever they run. At times they hang and we don't
|
||||
know about it. Also, cross-server sequencing is impossible to
|
||||
achieve.
|
||||
|
||||
Change the operation away from agents running on the machine as
|
||||
daemons, and instead ssh from the master to each machine.
|
||||
|
||||
Change-Id: I76e41e63c6d0825e8735c484ba4580d545515e43
|
||||
|
||||
.. note::
|
||||
* /opt/config/production/run_all.sh
|
||||
* 'override hosts'
|
||||
* gave us limited Do X before Y
|
||||
* create repos in git slaves before creating them in the git master
|
||||
* replication in the git-master is a bit derpy
|
||||
* "this allows creation of git repos on the git slaves before creation of the master repos on the gerrit server"
|
||||
|
||||
|
||||
Need basic orchestration
|
||||
========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
|
||||
Author: Monty Taylor <mordred@inaugust.com>
|
||||
Date: Tue Apr 15 17:41:45 2014 -0700
|
||||
|
||||
Use ansible instead of direct ssh calls
|
||||
|
||||
Instead of a shell script looping over ssh calls, use a simple
|
||||
ansible playbook. The benefit this gets is that we can then also
|
||||
script ad-hoc admin tasks either via playbooks or on the command
|
||||
line. We can also then get rid of the almost entirely unused
|
||||
salt infrastructure.
|
||||
|
||||
Change-Id: I53112bd1f61d94c0521a32016c8a47c8cf9e50f7
|
||||
|
||||
.. note::
|
||||
* Yes there was a ancient salt infra crusting
|
||||
|
||||
|
||||
Puppet Inventory
|
||||
================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
import json
|
||||
import subprocess
|
||||
|
||||
output = [
|
||||
x.split()[1][1:-1] for x in subprocess.check_output(
|
||||
["puppet","cert","list","-a"]).split('\n')
|
||||
if x.startswith('+')
|
||||
]
|
||||
|
||||
data = {
|
||||
'_meta': {'hostvars': dict()},
|
||||
'ungrouped': output,
|
||||
}
|
||||
print json.dumps(data, sort_keys=True, indent=2)
|
||||
|
||||
|
||||
.. note::
|
||||
* Ansible dynamic inventory
|
||||
* Reads puppet cert --list --all
|
||||
|
||||
|
||||
|
||||
OpenStack Inventory
|
||||
===================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
commit 714c934d0c57ed4c4ce653c0bb603071fc3dbff6
|
||||
Author: Monty Taylor <mordred@inaugust.com>
|
||||
Date: Wed Nov 25 11:36:30 2015 -0500
|
||||
|
||||
Use OpenStack for inventory instead of puppet
|
||||
|
||||
With the puppetmaster not there anymore, we should consume inventory
|
||||
from OpenStack rather than from puppet.
|
||||
|
||||
It turns out that because of the way static and dynamic inventories get
|
||||
merged, the static file needs to stand alone. SO - if you need to
|
||||
disable a dynamic host from OpenStack (pretty much all of our hosts) you
|
||||
need to not only add it to dynamic:children, you need to add an emtpy
|
||||
group into the static file too, otherwise you'll get an error like:
|
||||
|
||||
root@puppetmaster:~# ansible -i newinv '!disabled' --list-hosts
|
||||
ERROR: newinv/static:4: child group is not defined: (jenkins-dev.openstack.org)
|
||||
|
||||
Change-Id: Ic6809ed0b7014d7aebd414bf3a342e3a37eb10b6
|
||||
|
||||
.. note::
|
||||
* Ansible 2.0 released
|
||||
* Uses shade, a library we wrote
|
||||
* This inventory file lives in ansible/contrib
|
||||
* Start a really fucking annoying process of getting us the ability to disable a host temporarily
|
||||
|
||||
|
||||
Ansible group membership
|
||||
========================
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
jenkins jenkins*.openstack.org
|
||||
logstash-worker ~logstash-worker\d+\.openstack\.org
|
||||
subunit-worker ~subunit-worker\d+\.openstack\.org
|
||||
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
|
||||
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
|
||||
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
|
||||
git-server ~git\d+\.openstack\.org
|
||||
pypi pypi.*.openstack.org
|
||||
afsdb afsdb*.openstack.org
|
||||
afs afs*.*.openstack.org
|
||||
|
||||
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
|
||||
|
||||
|
||||
|
||||
Ansible's Role
|
||||
==============
|
||||
|
||||
* Ad hoc
|
||||
* Jenkins 'Maintenance'
|
||||
* Upgrades (see references)
|
||||
* Puppet Runs
|
||||
|
||||
|
||||
.. note::
|
||||
* get it?
|
||||
* Upgraded our elasticsearch cluster using ansible, through code review
|
||||
|
||||
|
||||
Jenkins Maintenance
|
||||
===================
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
---
|
||||
- hosts: 'jenkins0*.openstack.org'
|
||||
# Do the entire play completely for one host at a time
|
||||
serial: 1
|
||||
# Treat any errors as fatal so that we don't stop all the jenkins
|
||||
# masters.
|
||||
any_errors_fatal: true
|
||||
tasks:
|
||||
- shell: '/usr/local/jenkins/bin/safe_jenkins_shutdown --url https://{{ ansible_fqdn }}/ --user {{ user }} --password {{ password }}'
|
||||
- service: name=jenkins state=stopped
|
||||
# This is necessary because stopping Jenkins is not reliable.
|
||||
# We allow return code 1 which means no processes found.
|
||||
- shell: 'pkill -9 -U jenkins || [ $? -eq "1" ]'
|
||||
- service: name=jenkins state=restarted
|
||||
|
||||
|
||||
|
||||
.. note::
|
||||
* On cron once a week
|
||||
* This, and all ansible runs, run from one host, the puppetmaster
|
||||
* Bastion model
|
||||
|
||||
|
||||
Run_all.sh
|
||||
==========
|
||||
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
cd $SYSTEM_CONFIG
|
||||
git fetch -a && git reset -q --hard @{u}
|
||||
./install_modules.sh
|
||||
ansible-galaxy install --force -r roles.yaml
|
||||
|
||||
# First, sync the puppet repos with all the machines
|
||||
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/update_puppet.yaml
|
||||
# Run the git/gerrit sequence, since it's important that they all work together
|
||||
ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
|
||||
# Run AFS changes separately so we can make sure to only do one at a time
|
||||
# (turns out quorum is nice to have)
|
||||
ansible-playbook -f 1 ${ANSIBLE_PLAYBOOKS}/remote_puppet_afs.yaml
|
||||
# Run everything else. We do not care if the other things worked
|
||||
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/remote_puppet_else.yaml
|
||||
|
||||
.. note::
|
||||
* Every 15 minutes by cron
|
||||
* Flocking in the cron, this can certainly take longer than 15 minutes
|
||||
* Think about this relatively infrequently -> CI
|
||||
|
||||
|
||||
Puppet + Ansible
|
||||
================
|
||||
|
||||
* Copy code
|
||||
* Copy secrets
|
||||
* Inject variables
|
||||
* Run puppet
|
||||
* Save report
|
||||
* Push to puppetdb
|
||||
|
||||
.. note::
|
||||
* no use of r10k or install_modules.sh
|
||||
* Code is rsyncd from the puppetmaster
|
||||
* Specific hiera files are pushed, this is controlled by ansible groups
|
||||
* Environment variables such as git refs are set using FACTER variables
|
||||
* puppet is run
|
||||
* report_file report processor runs, emits a json blob
|
||||
* json blob copied back to puppet master, curl'd at puppetdb
|
||||
|
||||
Copy code
|
||||
=========
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- block:
|
||||
- name: copy puppet modules
|
||||
synchronize:
|
||||
src: "{{ manifest_base }}/{{ puppet_environment }}"
|
||||
dest: "{{ manifest_base }}"
|
||||
|
||||
Copy secrets
|
||||
============
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- name: make file list
|
||||
puppet_get_hiera_file_list:
|
||||
fqdn: "{{ ansible_fqdn }}"
|
||||
groups: "{{ hostvars[inventory_hostname].group_names }}"
|
||||
location: "{{ hieradata }}/{{ puppet_environment }}"
|
||||
delegate_to: localhost
|
||||
register: hiera_file_paths
|
||||
|
||||
- name: copy hiera files
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ item }}"
|
||||
mode: 0600
|
||||
with_items: hiera_file_paths.paths|default()
|
||||
|
||||
|
||||
Run Puppet
|
||||
==========
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- name: run puppet
|
||||
puppet:
|
||||
puppetmaster: "{{ puppetmaster|default(omit) }}"
|
||||
manifest: "{{ manifest|default(omit) }}"
|
||||
show_diff: "{{ show_diff|default(false) }}"
|
||||
facts: "{{ facts|default(omit) }}"
|
||||
facter_basename: "{{ facter_basename|default(omit) }}"
|
||||
|
||||
|
||||
Post report and facts to puppetdb
|
||||
==================================
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
- name: fetch file
|
||||
synchronize:
|
||||
mode: pull
|
||||
src: "{{ puppet_logfile }}"
|
||||
dest: /var/lib/puppet/reports/{{ ansible_fqdn }}
|
||||
|
||||
- name: post facts
|
||||
puppet_post_puppetdb:
|
||||
puppetdb: "{{ puppetdb }}"
|
||||
hostvars: "{{ hostvars[inventory_hostname] }}"
|
||||
logfile: "{{ puppet_logfile }}"
|
||||
whoami: "{{ ansible_fqdn }}"
|
||||
delegate_to: localhost
|
||||
connection: local
|
||||
|
||||
|
||||
PuppetBoard
|
||||
===========
|
||||
|
||||
|
||||
.. figure:: _static/puppetboard.png
|
||||
:align: center
|
||||
|
||||
|
||||
Next Steps
|
||||
==========
|
||||
|
||||
* Shore up the puppetdb integration, has some bugs
|
||||
* Move launch_node.py into ansible
|
||||
* Remove puppet agent dependency for launch_node.py, disable puppetmaster service
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
* All infra repos: http://git.openstack.org/cgit/openstack-infra/
|
||||
* Main Control repo: http://git.openstack.org/cgit/openstack-infra/system-config
|
||||
* ansible-puppet role: http://git.openstack.org/cgit/openstack-infra/system-config
|
||||
* Apply test: http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
|
||||
* OpenStack CI http://docs.openstack.org/infra/openstackci/
|
||||
* Diskimage-Builder http://docs.openstack.org/developer/diskimage-builder/
|
||||
|
||||
References (cont)
|
||||
=================
|
||||
|
||||
* ELK Upgrade Playbook: https://review.openstack.org/#/c/238185/
|
||||
* Ansible puppetdb glue: http://git.openstack.org/cgit/openstack-infra/ansible-puppet/tree/library/puppet_post_puppetdb
|
||||
* Json puppet report processor: http://git.openstack.org/cgit/openstack-infra/system-config/tree/modules/openstack_project/lib/puppet/reports/puppetdb_file.rb
|
||||
|
||||
References: shas
|
||||
================
|
||||
|
||||
* Drive puppet from ssh: edaa31ebbda09fb03baf1d18b64f5fa996188745
|
||||
* Move from ssh to ansible: 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
|
||||
* Public hiera: 1624692402d2148ab7d6dd9e5642fb0b34ec7209
|
||||
|
||||
|
||||
|
||||
Thank You
|
||||
=========
|
||||
|
||||
.. figure:: _static/spencer_face.jpg
|
||||
:align: left
|
||||
|
||||
Spencer Krum
|
||||
|
||||
IBM
|
||||
|
||||
@nibalizer
|
||||
|
||||
nibz@spencerkrum.com
|
||||
|
||||
https://git.openstack.org/cgit/openstack-infra/publications
|
||||
|
||||
|
||||
|
77
make-index
|
@ -1,77 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# Copyright 2013 OpenStack Foundation
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import os
|
||||
import subprocess
|
||||
|
||||
def run_local(cmd, cwd='.', env={}):
|
||||
print "Running:", cmd
|
||||
newenv = os.environ
|
||||
newenv.update(env)
|
||||
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, cwd=cwd,
|
||||
stderr=subprocess.STDOUT, env=newenv)
|
||||
(out, nothing) = p.communicate()
|
||||
return (p.returncode, out.strip())
|
||||
|
||||
def git_branches():
|
||||
branches = []
|
||||
r, branch_list = run_local(['git', 'branch', '-a'])
|
||||
for branch in branch_list.split("\n"):
|
||||
branch = branch.strip()
|
||||
if not branch.startswith('remotes/origin'):
|
||||
continue
|
||||
branches.append(branch)
|
||||
return branches
|
||||
|
||||
def git_tags():
|
||||
r, tag_list = run_local(['git', 'tag', '-n'])
|
||||
return [x for x in tag_list.split('\n') if x]
|
||||
|
||||
current = ''
|
||||
previous = ''
|
||||
|
||||
for branch in git_branches():
|
||||
if branch.startswith('remotes/origin/master'):
|
||||
continue
|
||||
if branch.startswith('remotes/origin/template'):
|
||||
continue
|
||||
if branch.startswith('remotes/origin/HEAD'):
|
||||
continue
|
||||
if '->' in branch:
|
||||
continue
|
||||
r,o = run_local(['git', 'show', branch+':README.rst'])
|
||||
if not r:
|
||||
title = o.split('\n')[0]
|
||||
name = branch[len('remotes/origin/'):]
|
||||
print "Adding branch %s: %s" % (name, title)
|
||||
current += '<a href="%s/">%s</a><br/>\n' % (name, title)
|
||||
|
||||
|
||||
for tagline in git_tags():
|
||||
tag, tag_title = [x.strip() for x in tagline.split(' ', 1)]
|
||||
r,o = run_local(['git', 'show', tag+':README.rst'])
|
||||
if not r:
|
||||
title = o.split('\n')[0]
|
||||
print "Adding tag %s: %s: %s" % (tag, tag_title, title)
|
||||
previous += '<a href="%s/">%s: %s</a><br/>\n' % (tag, tag_title, title)
|
||||
|
||||
|
||||
if not os.path.exists('output'):
|
||||
os.mkdir('output')
|
||||
|
||||
out = open('output/index.html', 'w')
|
||||
out.write(open('index.html').read().format(current=current, previous=previous))
|
||||
out.close()
|
|
@ -0,0 +1,14 @@
|
|||
Babel==2.1.1
|
||||
Jinja2==2.8
|
||||
MarkupSafe==0.23
|
||||
Pygments==2.0.2
|
||||
Sphinx==1.3.1
|
||||
alabaster==0.7.6
|
||||
argparse==1.2.1
|
||||
docutils==0.12
|
||||
hieroglyph==0.7.1
|
||||
pytz==2015.7
|
||||
six==1.10.0
|
||||
snowballstemmer==1.2.0
|
||||
sphinx-rtd-theme==0.1.9
|
||||
wsgiref==0.1.2
|