opendev
/
publications
Code Issues Proposed changes

ConfigMgmtConf 2016 by Spencer Krum (nibalizer) 

This talk covered how we use ansible and puppet together.

Change-Id: Ie7792e3b3621bc0c3cafa07656a343240f8f02e0
This commit is contained in:
Spencer Krum 2016-02-08 11:13:09 -08:00
parent fc67bd8a1d
commit 71e1eff3da
17 changed files with 1870 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1 +1,3 @@
output
*.swp
venv
_build

2
.gitreview
View File

@ -2,4 +2,4 @@
host=review.openstack.org
port=29418
project=openstack-infra/publications.git
defaultbranch=master
defaultbranch=better-together-puppet-and-ansible

198
Makefile Normal file
View File

@ -0,0 +1,198 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = _build
# User-friendly check for sphinx-build
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
endif
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " applehelp to make an Apple Help Book"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " xml to make Docutils-native XML files"
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
@echo " coverage to run coverage check of the documentation (if enabled)"
clean:
rm -rf $(BUILDDIR)/*
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/SecurePeerNetworkingwithTINC.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/SecurePeerNetworkingwithTINC.qhc"
applehelp:
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
@echo
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
@echo "N.B. You won't be able to view it unless you put it in" \
"~/Library/Documentation/Help or install it in your application" \
"bundle."
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/SecurePeerNetworkingwithTINC"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/SecurePeerNetworkingwithTINC"
@echo "# devhelp"
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
latexpdfja:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through platex and dvipdfmx..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
man:
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."
coverage:
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
@echo "Testing of coverage in the sources finished, look at the " \
"results in $(BUILDDIR)/coverage/python.txt."
xml:
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
@echo
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
pseudoxml:
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
@echo
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
slides:
$(SPHINXBUILD) -b slides $(ALLSPHINXOPTS) $(BUILDDIR)/slides
@echo "Build finished. The HTML slides are in $(BUILDDIR)/slides."

686
README.rst
View File

@ -1,28 +1,672 @@
Publications Repository
=======================
Each publication should get its own branch and is a living document.
.. Secure Peer Networking with TINC slides file, created by
hieroglyph-quickstart on Sun Nov 15 21:40:13 2015.
In order to create a new slide deck, create your branch from the
presentation template. See the `template README
<https://git.openstack.org/cgit/openstack-infra/publications/tree/README.rst?h=template>`_
for step by step instructions on this process.
Note that each branch should have a README.rst file where the first line
is the title of the presentation.
===================================
Better Together: Puppet and Ansible
===================================
Each time a publication is presented or published, the branch should
be tagged (with a signed, annotated tag). The first line of the tag
message should be the title of the event or publication, and the tag
itself should be in the format "year-venue-publication". For example,
if the presentation "overview" was given at LinuxCon North America
2013, you might tag it with:
.. figure:: _static/config_mgmt_camp_logo.png
:align: left
:width: 300px
Spencer Krum, IBM
Feb 2, 2016
@nibalizer
http://spencerkrum.com
https://git.openstack.org/cgit/openstack-infra/publications
.. note::
* Who am I
* What do I work on
* github
Portland
========
.. figure:: _static/mt_hood.jpg
:align: center
Other People
============
* OpenStack Infra Team
* Jim Blair
* Monty Taylor
* Colleen Murphy
* Hunter Haugen
* Many More
.. note::
* Team effort
Agenda
======
* Introduction
* Describe OpenStack Infra Team and Infrastructure
* Describe Puppet use
* Describe Ansible use
* Describe the Ansible-Puppet collaboration
OpenStack Infrastructure
========================
* General Overview
.. note::
* OpenStack is software
* We test it
* 20k tests a day at peak times
* Jobs, test, integration, docs, release, translate
History
=======
* Started 5 years ago
* Open Source
.. note::
* pleia jim/monty sitck figures
* pre ansible (python shop)
* tried chef, hard
* went with puppet
* Heavy CI/CD culture, everything goes through git, delpoy - grafana
Primary Services
================
* Code Review (gerrit)
* CI (zomg complexity)
* Code hosting (haproxy/cgit farm)
* Mailing lists(mailman)
.. note::
* These are the things that we really need to be up
* Our CI system is home grown and awesome
Secondary Services
==================
* wiki
* ask.openstack.org
* mailing lists
* afs/kerberos
* irc bots
* paste
* etherpad
* elk
* zanata
* graphite/grafana/grafyaml
.. note::
* These are the things that got set up
* Lot of community involvment here
Codesearch
==========
.. figure:: _static/codesearch.png
:align: center
* http://codesearch.openstack.org
.. note::
* codesearch.openstack.org
* hound from etsy
* deployed by outreachy intern
* use our puppet module!
* wicked fast
Basics
======
* 30 'pets'
* 12 x jenkins masters
* 20 x package mirrors
* 8 x git mirrors
* ~30 elk cluster
* infinity test vms
.. note::
* These are the things that got set up
* Lot of community involvment here
Basics
======
* All infrastructure runs on OpenStack clouds
* Clouds donated by companies <3
* Rackspace and HPCloud at first
* Now involving BlueBox, OVH, Internap and more
.. note::
* Maybe yours
* HP has donated a blob of physical gear which we are clouding
* Run our services on the public internet
Mgmt
====
* Precise, Trusty, Centos 7
* Puppet for config mgmt
* Ansible for orchestration
* Disk-image-builder for image builds
* snmp + cacti for metrics
* puppetboard for visibility
.. note::
* Precise, trusty, centos 7
* Centos 6 was killed
* Puppet does all configuration of everything, services, files, templates, packages
Puppet circa 2014
=================
* 2.7 Master
* Passenger
* Generated certs, w/ push
* CI/CD
* install_modules.sh
* puppet-lint test
* some public modules
* single puppet repo
.. note::
* Single puppetmaster
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
* near-perfect cd
* install_modules.sh was sortof r10kish
* public modules were all really old versions
* public internet, rouge puppet certs
Example of where we were at
==========================
.. code-block:: shell
if [ -n "$NODEPOOL_SSH_KEY" ] ; then
puppet_install_users="install_users => false,
ssh_key => '$NODEPOOL_SSH_KEY',"
else
puppet_install_users=""
fi
cat >/tmp/local.pp <<EOF
class {'openstack_project::single_use_slave':
sudo => $SUDO,
thin => $THIN,
install_resolv_conf => false,
$puppet_install_users
}
EOF
puppet apply /tmp/local.pp
.. note::
* Some but not all of the terribleness has been preserved
* run this in prod
Example of where we were at
==========================
.. code-block:: shell
# upstream is currently looking for /run/systemd files to check
# for systemd. This fails in a chroot where /run isn't mounted
# (like when using dib). Comment out this confine as fedora
# always has systemd
# see
# https://github.com/puppetlabs/puppet/pull/4481
# https://bugzilla.redhat.com/show_bug.cgi?id=1254616
sudo sed -i.bak \
'/^[^#].*/ s|\(^.*confine :exists => \"/run/systemd/system\".*$\)|#\ \1|' \
/usr/share/ruby/vendor_ruby/puppet/provider/service/systemd.rb
.. note::
* Puppet 4 on f23
* A user level patch to software that was patched before being packaged
Upgrades to the puppet setup
============================
* 3.x
* PuppetDB + PuppetBoard
* Modules split out
* Started using newer public modules
* Upgraded apache
.. note::
* 3.x happened right as 2.7 Eol'd for the last time
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
* near-perfect cd
* install_modules.sh was sortof r10kish
* public modules were all really old versions
Upgrades to the puppet setup: Apply test
========================================
* Apply test http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
.. code-block:: shell
file=$1
fileout=${file}.out
echo "##" > $fileout
cat $file > $fileout
sudo puppet apply --noop --verbose --debug $file >/dev/null 2>> $fileout
ret=$?
cat $fileout
exit $ret
.. note::
* 3.x happened right as 2.7 Eol'd for the last time
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
* near-perfect cd
* install_modules.sh was sortof r10kish
* public modules were all really old versions
Upgrades to the puppet setup: OpenStackCI
=========================================
* Control Repo Indirector
* Puppet module
.. note::
* Open Source when you release
* Open source when you get users
* Wraps Daemons and configuration
* All-in-one node deployment
Upgrades to the puppet setup: Public Hiera
==========================================
.. code-block:: shell
commit 1624692402d2148ab7d6dd9e5642fb0b34ec7209
Author: Spencer Krum <nibz@spencerkrum.com>
Date: Fri Apr 24 08:36:46 2015 -0700
Convert hiera configuration to support public data
This moves the hiera root under /opt/system-config so it can reach
into both private and public hiera directories. This implies that
hiera data will live in a hiera/ directory in system-config.
Manual: This requires a manual change to the puppetmaster system. A
rooter must move /etc/puppet/hieradata to /opt/system-config/hieradata
Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/public_hiera.html
Change-Id: I1736759ee9ac7cd0c206538ed0a2f6d0d71ea440
.. note::
* Split Data from code
* Increase visibility
* Reduces merge conflicts
Need basic orchestration
========================
.. code-block:: shell
commit b55ed05a274e5da40b567ad127a3d1c5808e48c6
Author: Monty Taylor <mordred@inaugust.com>
Date: Mon Mar 17 04:01:33 2014 -0400
Drive puppet from the master over ssh
We'd like to be able to control sequencing of how and when puppet
runs across our machines. Currently, it's just a set of agents
that run kinda whenever they run. At times they hang and we don't
know about it. Also, cross-server sequencing is impossible to
achieve.
Change the operation away from agents running on the machine as
daemons, and instead ssh from the master to each machine.
Change-Id: I76e41e63c6d0825e8735c484ba4580d545515e43
.. note::
* /opt/config/production/run_all.sh
* 'override hosts'
* gave us limited Do X before Y
* create repos in git slaves before creating them in the git master
* replication in the git-master is a bit derpy
* "this allows creation of git repos on the git slaves before creation of the master repos on the gerrit server"
Need basic orchestration
========================
.. code-block:: shell
commit 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
Author: Monty Taylor <mordred@inaugust.com>
Date: Tue Apr 15 17:41:45 2014 -0700
Use ansible instead of direct ssh calls
Instead of a shell script looping over ssh calls, use a simple
ansible playbook. The benefit this gets is that we can then also
script ad-hoc admin tasks either via playbooks or on the command
line. We can also then get rid of the almost entirely unused
salt infrastructure.
Change-Id: I53112bd1f61d94c0521a32016c8a47c8cf9e50f7
.. note::
* Yes there was a ancient salt infra crusting
Puppet Inventory
================
.. code-block:: shell
import json
import subprocess
output = [
x.split()[1][1:-1] for x in subprocess.check_output(
["puppet","cert","list","-a"]).split('\n')
if x.startswith('+')
]
data = {
'_meta': {'hostvars': dict()},
'ungrouped': output,
}
print json.dumps(data, sort_keys=True, indent=2)
.. note::
* Ansible dynamic inventory
* Reads puppet cert --list --all
OpenStack Inventory
===================
.. code-block:: shell
commit 714c934d0c57ed4c4ce653c0bb603071fc3dbff6
Author: Monty Taylor <mordred@inaugust.com>
Date: Wed Nov 25 11:36:30 2015 -0500
Use OpenStack for inventory instead of puppet
With the puppetmaster not there anymore, we should consume inventory
from OpenStack rather than from puppet.
It turns out that because of the way static and dynamic inventories get
merged, the static file needs to stand alone. SO - if you need to
disable a dynamic host from OpenStack (pretty much all of our hosts) you
need to not only add it to dynamic:children, you need to add an emtpy
group into the static file too, otherwise you'll get an error like:
root@puppetmaster:~# ansible -i newinv '!disabled' --list-hosts
ERROR: newinv/static:4: child group is not defined: (jenkins-dev.openstack.org)
Change-Id: Ic6809ed0b7014d7aebd414bf3a342e3a37eb10b6
.. note::
* Ansible 2.0 released
* Uses shade, a library we wrote
* This inventory file lives in ansible/contrib
* Start a really fucking annoying process of getting us the ability to disable a host temporarily
Ansible group membership
========================
.. code-block:: shell
jenkins jenkins*.openstack.org
logstash-worker ~logstash-worker\d+\.openstack\.org
subunit-worker ~subunit-worker\d+\.openstack\.org
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
git-server ~git\d+\.openstack\.org
pypi pypi.*.openstack.org
afsdb afsdb*.openstack.org
afs afs*.*.openstack.org
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
Ansible's Role
==============
* Ad hoc
* Jenkins 'Maintenance'
* Upgrades (see references)
* Puppet Runs
.. note::
* get it?
* Upgraded our elasticsearch cluster using ansible, through code review
Jenkins Maintenance
===================
.. code-block:: yaml
---
- hosts: 'jenkins0*.openstack.org'
# Do the entire play completely for one host at a time
serial: 1
# Treat any errors as fatal so that we don't stop all the jenkins
# masters.
any_errors_fatal: true
tasks:
- shell: '/usr/local/jenkins/bin/safe_jenkins_shutdown --url https://{{ ansible_fqdn }}/ --user {{ user }} --password {{ password }}'
- service: name=jenkins state=stopped
# This is necessary because stopping Jenkins is not reliable.
# We allow return code 1 which means no processes found.
- shell: 'pkill -9 -U jenkins || [ $? -eq "1" ]'
- service: name=jenkins state=restarted
.. note::
* On cron once a week
* This, and all ansible runs, run from one host, the puppetmaster
* Bastion model
Run_all.sh
==========
.. code-block:: shell
cd $SYSTEM_CONFIG
git fetch -a && git reset -q --hard @{u}
./install_modules.sh
ansible-galaxy install --force -r roles.yaml
# First, sync the puppet repos with all the machines
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/update_puppet.yaml
# Run the git/gerrit sequence, since it's important that they all work together
ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
# Run AFS changes separately so we can make sure to only do one at a time
# (turns out quorum is nice to have)
ansible-playbook -f 1 ${ANSIBLE_PLAYBOOKS}/remote_puppet_afs.yaml
# Run everything else. We do not care if the other things worked
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/remote_puppet_else.yaml
.. note::
* Every 15 minutes by cron
* Flocking in the cron, this can certainly take longer than 15 minutes
* Think about this relatively infrequently -> CI
Puppet + Ansible
================
* Copy code
* Copy secrets
* Inject variables
* Run puppet
* Save report
* Push to puppetdb
.. note::
* no use of r10k or install_modules.sh
* Code is rsyncd from the puppetmaster
* Specific hiera files are pushed, this is controlled by ansible groups
* Environment variables such as git refs are set using FACTER variables
* puppet is run
* report_file report processor runs, emits a json blob
* json blob copied back to puppet master, curl'd at puppetdb
Copy code
=========
.. code-block:: yaml
- block:
- name: copy puppet modules
synchronize:
src: "{{ manifest_base }}/{{ puppet_environment }}"
dest: "{{ manifest_base }}"
Copy secrets
============
.. code-block:: yaml
- name: make file list
puppet_get_hiera_file_list:
fqdn: "{{ ansible_fqdn }}"
groups: "{{ hostvars[inventory_hostname].group_names }}"
location: "{{ hieradata }}/{{ puppet_environment }}"
delegate_to: localhost
register: hiera_file_paths
- name: copy hiera files
copy:
src: "{{ item }}"
dest: "{{ item }}"
mode: 0600
with_items: hiera_file_paths.paths|default()
Run Puppet
==========
.. code-block:: yaml
- name: run puppet
puppet:
puppetmaster: "{{ puppetmaster|default(omit) }}"
manifest: "{{ manifest|default(omit) }}"
show_diff: "{{ show_diff|default(false) }}"
facts: "{{ facts|default(omit) }}"
facter_basename: "{{ facter_basename|default(omit) }}"
Post report and facts to puppetdb
==================================
.. code-block:: yaml
- name: fetch file
synchronize:
mode: pull
src: "{{ puppet_logfile }}"
dest: /var/lib/puppet/reports/{{ ansible_fqdn }}
- name: post facts
puppet_post_puppetdb:
puppetdb: "{{ puppetdb }}"
hostvars: "{{ hostvars[inventory_hostname] }}"
logfile: "{{ puppet_logfile }}"
whoami: "{{ ansible_fqdn }}"
delegate_to: localhost
connection: local
PuppetBoard
===========
.. figure:: _static/puppetboard.png
:align: center
Next Steps
==========
* Shore up the puppetdb integration, has some bugs
* Move launch_node.py into ansible
* Remove puppet agent dependency for launch_node.py, disable puppetmaster service
References
==========
* All infra repos: http://git.openstack.org/cgit/openstack-infra/
* Main Control repo: http://git.openstack.org/cgit/openstack-infra/system-config
* ansible-puppet role: http://git.openstack.org/cgit/openstack-infra/system-config
* Apply test: http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
* OpenStack CI http://docs.openstack.org/infra/openstackci/
* Diskimage-Builder http://docs.openstack.org/developer/diskimage-builder/
References (cont)
=================
* ELK Upgrade Playbook: https://review.openstack.org/#/c/238185/
* Ansible puppetdb glue: http://git.openstack.org/cgit/openstack-infra/ansible-puppet/tree/library/puppet_post_puppetdb
* Json puppet report processor: http://git.openstack.org/cgit/openstack-infra/system-config/tree/modules/openstack_project/lib/puppet/reports/puppetdb_file.rb
References: shas
================
* Drive puppet from ssh: edaa31ebbda09fb03baf1d18b64f5fa996188745
* Move from ssh to ansible: 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
* Public hiera: 1624692402d2148ab7d6dd9e5642fb0b34ec7209
Thank You
=========
.. figure:: _static/spencer_face.jpg
:align: left
Spencer Krum
IBM
@nibalizer
nibz@spencerkrum.com
https://git.openstack.org/cgit/openstack-infra/publications
git tag -s -m "LinuxCon North America, 2013" 2013-linuxcon_na-overview
The 'make-index' script will create an index page based on index.html,
and all current branches and tags in the repo and their README.rst
files.
Viewable publications are published to:
http://docs.openstack.org/infra/publications

BIN
_static/cinder_ci.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
_static/codesearch.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
_static/config_mgmt_camp_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
_static/k8s_code.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
_static/mt_hood.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
_static/pcci_voting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
_static/puppetboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
_static/spencer_face.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

317
conf.py Normal file
View File

@ -0,0 +1,317 @@
# -*- coding: utf-8 -*-
#
# Avisory Third Party CI documentation build configuration file, created by
# sphinx-quickstart on Sun Nov 15 21:40:13 2015.
#
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
import sys
import os
import shlex
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
#needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'sphinx.ext.doctest',
'sphinx.ext.intersphinx',
'sphinx.ext.todo',
'sphinx.ext.coverage',
'sphinx.ext.pngmath',
'sphinx.ext.ifconfig',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
# source_suffix = ['.rst', '.md']
source_suffix = '.rst'
# The encoding of source files.
#source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = u'Advisory Third Party CI'
copyright = u'2016, Spencer Krum'
author = u'Spencer Krum'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = '2016.01.01'
# The full version, including alpha/beta/rc tags.
release = '2016.01.01'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
#today = ''
# Else, today_fmt is used as the format for a strftime call.
#today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = ['_build']
# The reST default role (used for this markup: `text`) to use for all
# documents.
#default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
#add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
#add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
#show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# A list of ignored prefixes for module index sorting.
#modindex_common_prefix = []
# If true, keep warnings as "system message" paragraphs in the built documents.
#keep_warnings = False
# If true, `todo` and `todoList` produce output, else they produce nothing.
todo_include_todos = True
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'alabaster'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
#html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
#html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
#html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
#html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.
#html_extra_path = []
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
#html_last_updated_fmt = '%b %d, %Y'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
#html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
#html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
#html_additional_pages = {}
# If false, no module index is generated.
#html_domain_indices = True
# If false, no index is generated.
#html_use_index = True
# If true, the index is split into individual pages for each letter.
#html_split_index = False
# If true, links to the reST sources are added to the pages.
#html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
#html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
#html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
#html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
#html_file_suffix = None
# Language to be used for generating the HTML full-text search index.
# Sphinx supports the following languages:
# 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja'
# 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr'
#html_search_language = 'en'
# A dictionary with options for the search language support, empty by default.
# Now only 'ja' uses this config value
#html_search_options = {'type': 'default'}
# The name of a javascript file (relative to the configuration directory) that
# implements a search results scorer. If empty, the default will be used.
#html_search_scorer = 'scorer.js'
# Output file base name for HTML help builder.
htmlhelp_basename = 'SecurePeerNetworkingwithTINCdoc'
# -- Options for LaTeX output ---------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
#'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
#'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
#'preamble': '',
# Latex figure (float) alignment
#'figure_align': 'htbp',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
(master_doc, 'SecurePeerNetworkingwithTINC.tex', u'Secure Peer Networking with TINC Documentation',
u'Ben Kero', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
#latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
#latex_use_parts = False
# If true, show page references after internal links.
#latex_show_pagerefs = False
# If true, show URL addresses after external links.
#latex_show_urls = False
# Documents to append as an appendix to all manuals.
#latex_appendices = []
# If false, no module index is generated.
#latex_domain_indices = True
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
(master_doc, 'securepeernetworkingwithtinc', u'Secure Peer Networking with TINC Documentation',
[author], 1)
]
# If true, show URL addresses after external links.
#man_show_urls = False
# -- Options for Texinfo output -------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, 'SecurePeerNetworkingwithTINC', u'Secure Peer Networking with TINC Documentation',
author, 'SecurePeerNetworkingwithTINC', 'One line description of project.',
'Miscellaneous'),
]
# Documents to append as an appendix to all manuals.
#texinfo_appendices = []
# If false, no module index is generated.
#texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
#texinfo_show_urls = 'footnote'
# If true, do not generate a @detailmenu in the "Top" node's menu.
#texinfo_no_detailmenu = False
# -- Hieroglyph Slide Configuration ------------
extensions += [
'hieroglyph',
]
slide_title = 'Better Together'
slide_theme = 'single-level'
slide_levels = 3
# Place custom static assets in the _static directory and uncomment
# the following lines to include them
# slide_theme_options = {
# 'custom_css': 'custom.css',
# 'custom_js': 'custom.js',
# }
# ----------------------------------------------
# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {'https://docs.python.org/': None}

99
index.html
View File

@ -1,99 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
OpenStack Project Infrastructure Publications
</title>
<!-- Google Fonts -->
<link href="http://fonts.googleapis.com/css?family=PT+Sans&amp;subset=latin" rel="stylesheet" type="text/css"/>
<!-- Framework CSS -->
<link href="http://openstack.org/themes/openstack/css/blueprint/screen.css" media="screen, projection" rel="stylesheet" type="text/css"/>
<link href="http://openstack.org/themes/openstack/css/blueprint/print.css" media="print" rel="stylesheet" type="text/css"/>
<!--[if lt IE 8]><link rel="stylesheet" href="http://openstack.org/themes/openstack/css/blueprint/ie.css" type="text/css" media="screen, projection"><![endif]-->
<!-- OpenStack Specific CSS -->
<link href="http://openstack.org/themes/openstack/css/main.css" media="screen, projection, print" rel="stylesheet" type="text/css"/>
</head>
<body>
<div class="container">
<div id="header">
<div class="span-5">
<h1 id="logo">
<a href="/">
OpenStack
</a>
</h1>
</div>
<div class="span-19 last blueLine">
<div class="span-19" id="navigation">
<ul id="Menu1">
<li>
<a href="http://www.openstack.org/" title="Go to the OpenStack Home page">
Home
</a>
</li>
<li>
<a class="link" href="http://www.openstack.org/software/" title="About OpenStack">
About
</a>
</li>
<li>
<a class="link" href="http://www.openstack.org/user-stories/" title="Read stories about companies that use OpenStack to get work done.">
User Stories
</a>
</li>
<li>
<a class="link" href="http://www.openstack.org/community/" title="Go to the OpenStack Community page">
Community
</a>
</li>
<li>
<a class="link" href="http://www.openstack.org/profile/" title="Edit your OpenStack community profile">
Profile
</a>
</li>
<li>
<a href="http://www.openstack.org/blog/" title="Go to the OpenStack Blog">
Blog
</a>
</li>
<li>
<a href="http://wiki.openstack.org/" title="Go to the OpenStack Wiki">
Wiki
</a>
</li>
<li>
<a href="http://docs.openstack.org/glossary/content/glossary.html" title="See definitions of OpenStack terms">
Glossary
</a>
</li>
<li>
<a class="current" href="http://docs.openstack.org/" title="Go to the OpenStack Documentation">
Documentation
</a>
</li>
</ul>
</div>
</div>
</div>
</div>
<!-- Page Content -->
<div class="container">
<h1>
OpenStack Project Infrastructure Publications
</h1>
</div>
<div class="container">
<h2>
Current Publications
</h2>
{current}
</div>
<br/>
<div class="container">
<h2>
Previous Publications
</h2>
{previous}
</div>
</body>
</html>

672
index.rst Normal file
View File

@ -0,0 +1,672 @@
.. Secure Peer Networking with TINC slides file, created by
hieroglyph-quickstart on Sun Nov 15 21:40:13 2015.
===================================
Better Together: Puppet and Ansible
===================================
.. figure:: _static/config_mgmt_camp_logo.png
:align: left
:width: 300px
Spencer Krum, IBM
Feb 2, 2016
@nibalizer
http://spencerkrum.com
https://git.openstack.org/cgit/openstack-infra/publications
.. note::
* Who am I
* What do I work on
* github
Portland
========
.. figure:: _static/mt_hood.jpg
:align: center
Other People
============
* OpenStack Infra Team
* Jim Blair
* Monty Taylor
* Colleen Murphy
* Hunter Haugen
* Many More
.. note::
* Team effort
Agenda
======
* Introduction
* Describe OpenStack Infra Team and Infrastructure
* Describe Puppet use
* Describe Ansible use
* Describe the Ansible-Puppet collaboration
OpenStack Infrastructure
========================
* General Overview
.. note::
* OpenStack is software
* We test it
* 20k tests a day at peak times
* Jobs, test, integration, docs, release, translate
History
=======
* Started 5 years ago
* Open Source
.. note::
* pleia jim/monty sitck figures
* pre ansible (python shop)
* tried chef, hard
* went with puppet
* Heavy CI/CD culture, everything goes through git, delpoy - grafana
Primary Services
================
* Code Review (gerrit)
* CI (zomg complexity)
* Code hosting (haproxy/cgit farm)
* Mailing lists(mailman)
.. note::
* These are the things that we really need to be up
* Our CI system is home grown and awesome
Secondary Services
==================
* wiki
* ask.openstack.org
* mailing lists
* afs/kerberos
* irc bots
* paste
* etherpad
* elk
* zanata
* graphite/grafana/grafyaml
.. note::
* These are the things that got set up
* Lot of community involvment here
Codesearch
==========
.. figure:: _static/codesearch.png
:align: center
* http://codesearch.openstack.org
.. note::
* codesearch.openstack.org
* hound from etsy
* deployed by outreachy intern
* use our puppet module!
* wicked fast
Basics
======
* 30 'pets'
* 12 x jenkins masters
* 20 x package mirrors
* 8 x git mirrors
* ~30 elk cluster
* infinity test vms
.. note::
* These are the things that got set up
* Lot of community involvment here
Basics
======
* All infrastructure runs on OpenStack clouds
* Clouds donated by companies <3
* Rackspace and HPCloud at first
* Now involving BlueBox, OVH, Internap and more
.. note::
* Maybe yours
* HP has donated a blob of physical gear which we are clouding
* Run our services on the public internet
Mgmt
====
* Precise, Trusty, Centos 7
* Puppet for config mgmt
* Ansible for orchestration
* Disk-image-builder for image builds
* snmp + cacti for metrics
* puppetboard for visibility
.. note::
* Precise, trusty, centos 7
* Centos 6 was killed
* Puppet does all configuration of everything, services, files, templates, packages
Puppet circa 2014
=================
* 2.7 Master
* Passenger
* Generated certs, w/ push
* CI/CD
* install_modules.sh
* puppet-lint test
* some public modules
* single puppet repo
.. note::
* Single puppetmaster
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
* near-perfect cd
* install_modules.sh was sortof r10kish
* public modules were all really old versions
* public internet, rouge puppet certs
Example of where we were at
==========================
.. code-block:: shell
if [ -n "$NODEPOOL_SSH_KEY" ] ; then
puppet_install_users="install_users => false,
ssh_key => '$NODEPOOL_SSH_KEY',"
else
puppet_install_users=""
fi
cat >/tmp/local.pp <<EOF
class {'openstack_project::single_use_slave':
sudo => $SUDO,
thin => $THIN,
install_resolv_conf => false,
$puppet_install_users
}
EOF
puppet apply /tmp/local.pp
.. note::
* Some but not all of the terribleness has been preserved
* run this in prod
Example of where we were at
==========================
.. code-block:: shell
# upstream is currently looking for /run/systemd files to check
# for systemd. This fails in a chroot where /run isn't mounted
# (like when using dib). Comment out this confine as fedora
# always has systemd
# see
# https://github.com/puppetlabs/puppet/pull/4481
# https://bugzilla.redhat.com/show_bug.cgi?id=1254616
sudo sed -i.bak \
'/^[^#].*/ s|\(^.*confine :exists => \"/run/systemd/system\".*$\)|#\ \1|' \
/usr/share/ruby/vendor_ruby/puppet/provider/service/systemd.rb
.. note::
* Puppet 4 on f23
* A user level patch to software that was patched before being packaged
Upgrades to the puppet setup
============================
* 3.x
* PuppetDB + PuppetBoard
* Modules split out
* Started using newer public modules
* Upgraded apache
.. note::
* 3.x happened right as 2.7 Eol'd for the last time
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
* near-perfect cd
* install_modules.sh was sortof r10kish
* public modules were all really old versions
Upgrades to the puppet setup: Apply test
========================================
* Apply test http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
.. code-block:: shell
file=$1
fileout=${file}.out
echo "##" > $fileout
cat $file > $fileout
sudo puppet apply --noop --verbose --debug $file >/dev/null 2>> $fileout
ret=$?
cat $fileout
exit $ret
.. note::
* 3.x happened right as 2.7 Eol'd for the last time
* launch_node.py would build a machine w/ openstack apis and push in a puppet cert
* near-perfect cd
* install_modules.sh was sortof r10kish
* public modules were all really old versions
Upgrades to the puppet setup: OpenStackCI
=========================================
* Control Repo Indirector
* Puppet module
.. note::
* Open Source when you release
* Open source when you get users
* Wraps Daemons and configuration
* All-in-one node deployment
Upgrades to the puppet setup: Public Hiera
==========================================
.. code-block:: shell
commit 1624692402d2148ab7d6dd9e5642fb0b34ec7209
Author: Spencer Krum <nibz@spencerkrum.com>
Date: Fri Apr 24 08:36:46 2015 -0700
Convert hiera configuration to support public data
This moves the hiera root under /opt/system-config so it can reach
into both private and public hiera directories. This implies that
hiera data will live in a hiera/ directory in system-config.
Manual: This requires a manual change to the puppetmaster system. A
rooter must move /etc/puppet/hieradata to /opt/system-config/hieradata
Spec: http://specs.openstack.org/openstack-infra/infra-specs/specs/public_hiera.html
Change-Id: I1736759ee9ac7cd0c206538ed0a2f6d0d71ea440
.. note::
* Split Data from code
* Increase visibility
* Reduces merge conflicts
Need basic orchestration
========================
.. code-block:: shell
commit b55ed05a274e5da40b567ad127a3d1c5808e48c6
Author: Monty Taylor <mordred@inaugust.com>
Date: Mon Mar 17 04:01:33 2014 -0400
Drive puppet from the master over ssh
We'd like to be able to control sequencing of how and when puppet
runs across our machines. Currently, it's just a set of agents
that run kinda whenever they run. At times they hang and we don't
know about it. Also, cross-server sequencing is impossible to
achieve.
Change the operation away from agents running on the machine as
daemons, and instead ssh from the master to each machine.
Change-Id: I76e41e63c6d0825e8735c484ba4580d545515e43
.. note::
* /opt/config/production/run_all.sh
* 'override hosts'
* gave us limited Do X before Y
* create repos in git slaves before creating them in the git master
* replication in the git-master is a bit derpy
* "this allows creation of git repos on the git slaves before creation of the master repos on the gerrit server"
Need basic orchestration
========================
.. code-block:: shell
commit 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
Author: Monty Taylor <mordred@inaugust.com>
Date: Tue Apr 15 17:41:45 2014 -0700
Use ansible instead of direct ssh calls
Instead of a shell script looping over ssh calls, use a simple
ansible playbook. The benefit this gets is that we can then also
script ad-hoc admin tasks either via playbooks or on the command
line. We can also then get rid of the almost entirely unused
salt infrastructure.
Change-Id: I53112bd1f61d94c0521a32016c8a47c8cf9e50f7
.. note::
* Yes there was a ancient salt infra crusting
Puppet Inventory
================
.. code-block:: shell
import json
import subprocess
output = [
x.split()[1][1:-1] for x in subprocess.check_output(
["puppet","cert","list","-a"]).split('\n')
if x.startswith('+')
]
data = {
'_meta': {'hostvars': dict()},
'ungrouped': output,
}
print json.dumps(data, sort_keys=True, indent=2)
.. note::
* Ansible dynamic inventory
* Reads puppet cert --list --all
OpenStack Inventory
===================
.. code-block:: shell
commit 714c934d0c57ed4c4ce653c0bb603071fc3dbff6
Author: Monty Taylor <mordred@inaugust.com>
Date: Wed Nov 25 11:36:30 2015 -0500
Use OpenStack for inventory instead of puppet
With the puppetmaster not there anymore, we should consume inventory
from OpenStack rather than from puppet.
It turns out that because of the way static and dynamic inventories get
merged, the static file needs to stand alone. SO - if you need to
disable a dynamic host from OpenStack (pretty much all of our hosts) you
need to not only add it to dynamic:children, you need to add an emtpy
group into the static file too, otherwise you'll get an error like:
root@puppetmaster:~# ansible -i newinv '!disabled' --list-hosts
ERROR: newinv/static:4: child group is not defined: (jenkins-dev.openstack.org)
Change-Id: Ic6809ed0b7014d7aebd414bf3a342e3a37eb10b6
.. note::
* Ansible 2.0 released
* Uses shade, a library we wrote
* This inventory file lives in ansible/contrib
* Start a really fucking annoying process of getting us the ability to disable a host temporarily
Ansible group membership
========================
.. code-block:: shell
jenkins jenkins*.openstack.org
logstash-worker ~logstash-worker\d+\.openstack\.org
subunit-worker ~subunit-worker\d+\.openstack\.org
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
git-server ~git\d+\.openstack\.org
pypi pypi.*.openstack.org
afsdb afsdb*.openstack.org
afs afs*.*.openstack.org
disabled ci-backup-rs-ord.openstack.org:jenkins-dev.openstack.org
Ansible's Role
==============
* Ad hoc
* Jenkins 'Maintenance'
* Upgrades (see references)
* Puppet Runs
.. note::
* get it?
* Upgraded our elasticsearch cluster using ansible, through code review
Jenkins Maintenance
===================
.. code-block:: yaml
---
- hosts: 'jenkins0*.openstack.org'
# Do the entire play completely for one host at a time
serial: 1
# Treat any errors as fatal so that we don't stop all the jenkins
# masters.
any_errors_fatal: true
tasks:
- shell: '/usr/local/jenkins/bin/safe_jenkins_shutdown --url https://{{ ansible_fqdn }}/ --user {{ user }} --password {{ password }}'
- service: name=jenkins state=stopped
# This is necessary because stopping Jenkins is not reliable.
# We allow return code 1 which means no processes found.
- shell: 'pkill -9 -U jenkins || [ $? -eq "1" ]'
- service: name=jenkins state=restarted
.. note::
* On cron once a week
* This, and all ansible runs, run from one host, the puppetmaster
* Bastion model
Run_all.sh
==========
.. code-block:: shell
cd $SYSTEM_CONFIG
git fetch -a && git reset -q --hard @{u}
./install_modules.sh
ansible-galaxy install --force -r roles.yaml
# First, sync the puppet repos with all the machines
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/update_puppet.yaml
# Run the git/gerrit sequence, since it's important that they all work together
ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
# Run AFS changes separately so we can make sure to only do one at a time
# (turns out quorum is nice to have)
ansible-playbook -f 1 ${ANSIBLE_PLAYBOOKS}/remote_puppet_afs.yaml
# Run everything else. We do not care if the other things worked
ansible-playbook -f 20 ${ANSIBLE_PLAYBOOKS}/remote_puppet_else.yaml
.. note::
* Every 15 minutes by cron
* Flocking in the cron, this can certainly take longer than 15 minutes
* Think about this relatively infrequently -> CI
Puppet + Ansible
================
* Copy code
* Copy secrets
* Inject variables
* Run puppet
* Save report
* Push to puppetdb
.. note::
* no use of r10k or install_modules.sh
* Code is rsyncd from the puppetmaster
* Specific hiera files are pushed, this is controlled by ansible groups
* Environment variables such as git refs are set using FACTER variables
* puppet is run
* report_file report processor runs, emits a json blob
* json blob copied back to puppet master, curl'd at puppetdb
Copy code
=========
.. code-block:: yaml
- block:
- name: copy puppet modules
synchronize:
src: "{{ manifest_base }}/{{ puppet_environment }}"
dest: "{{ manifest_base }}"
Copy secrets
============
.. code-block:: yaml
- name: make file list
puppet_get_hiera_file_list:
fqdn: "{{ ansible_fqdn }}"
groups: "{{ hostvars[inventory_hostname].group_names }}"
location: "{{ hieradata }}/{{ puppet_environment }}"
delegate_to: localhost
register: hiera_file_paths
- name: copy hiera files
copy:
src: "{{ item }}"
dest: "{{ item }}"
mode: 0600
with_items: hiera_file_paths.paths|default()
Run Puppet
==========
.. code-block:: yaml
- name: run puppet
puppet:
puppetmaster: "{{ puppetmaster|default(omit) }}"
manifest: "{{ manifest|default(omit) }}"
show_diff: "{{ show_diff|default(false) }}"
facts: "{{ facts|default(omit) }}"
facter_basename: "{{ facter_basename|default(omit) }}"
Post report and facts to puppetdb
==================================
.. code-block:: yaml
- name: fetch file
synchronize:
mode: pull
src: "{{ puppet_logfile }}"
dest: /var/lib/puppet/reports/{{ ansible_fqdn }}
- name: post facts
puppet_post_puppetdb:
puppetdb: "{{ puppetdb }}"
hostvars: "{{ hostvars[inventory_hostname] }}"
logfile: "{{ puppet_logfile }}"
whoami: "{{ ansible_fqdn }}"
delegate_to: localhost
connection: local
PuppetBoard
===========
.. figure:: _static/puppetboard.png
:align: center
Next Steps
==========
* Shore up the puppetdb integration, has some bugs
* Move launch_node.py into ansible
* Remove puppet agent dependency for launch_node.py, disable puppetmaster service
References
==========
* All infra repos: http://git.openstack.org/cgit/openstack-infra/
* Main Control repo: http://git.openstack.org/cgit/openstack-infra/system-config
* ansible-puppet role: http://git.openstack.org/cgit/openstack-infra/system-config
* Apply test: http://git.openstack.org/cgit/openstack-infra/system-config/tree/tools/apply-test.sh
* OpenStack CI http://docs.openstack.org/infra/openstackci/
* Diskimage-Builder http://docs.openstack.org/developer/diskimage-builder/
References (cont)
=================
* ELK Upgrade Playbook: https://review.openstack.org/#/c/238185/
* Ansible puppetdb glue: http://git.openstack.org/cgit/openstack-infra/ansible-puppet/tree/library/puppet_post_puppetdb
* Json puppet report processor: http://git.openstack.org/cgit/openstack-infra/system-config/tree/modules/openstack_project/lib/puppet/reports/puppetdb_file.rb
References: shas
================
* Drive puppet from ssh: edaa31ebbda09fb03baf1d18b64f5fa996188745
* Move from ssh to ansible: 034f37c32aed27d8000e1dc3a8a3d36022bcd12a
* Public hiera: 1624692402d2148ab7d6dd9e5642fb0b34ec7209
Thank You
=========
.. figure:: _static/spencer_face.jpg
:align: left
Spencer Krum
IBM
@nibalizer
nibz@spencerkrum.com
https://git.openstack.org/cgit/openstack-infra/publications

77
make-index
View File

@ -1,77 +0,0 @@
#!/usr/bin/env python
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import subprocess
def run_local(cmd, cwd='.', env={}):
print "Running:", cmd
newenv = os.environ
newenv.update(env)
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, cwd=cwd,
stderr=subprocess.STDOUT, env=newenv)
(out, nothing) = p.communicate()
return (p.returncode, out.strip())
def git_branches():
branches = []
r, branch_list = run_local(['git', 'branch', '-a'])
for branch in branch_list.split("\n"):
branch = branch.strip()
if not branch.startswith('remotes/origin'):
continue
branches.append(branch)
return branches
def git_tags():
r, tag_list = run_local(['git', 'tag', '-n'])
return [x for x in tag_list.split('\n') if x]
current = ''
previous = ''
for branch in git_branches():
if branch.startswith('remotes/origin/master'):
continue
if branch.startswith('remotes/origin/template'):
continue
if branch.startswith('remotes/origin/HEAD'):
continue
if '->' in branch:
continue
r,o = run_local(['git', 'show', branch+':README.rst'])
if not r:
title = o.split('\n')[0]
name = branch[len('remotes/origin/'):]
print "Adding branch %s: %s" % (name, title)
current += '<a href="%s/">%s</a><br/>\n' % (name, title)
for tagline in git_tags():
tag, tag_title = [x.strip() for x in tagline.split(' ', 1)]
r,o = run_local(['git', 'show', tag+':README.rst'])
if not r:
title = o.split('\n')[0]
print "Adding tag %s: %s: %s" % (tag, tag_title, title)
previous += '<a href="%s/">%s: %s</a><br/>\n' % (tag, tag_title, title)
if not os.path.exists('output'):
os.mkdir('output')
out = open('output/index.html', 'w')
out.write(open('index.html').read().format(current=current, previous=previous))
out.close()

14
requirements.txt Normal file
View File

@ -0,0 +1,14 @@
Babel==2.1.1
Jinja2==2.8
MarkupSafe==0.23
Pygments==2.0.2
Sphinx==1.3.1
alabaster==0.7.6
argparse==1.2.1
docutils==0.12
hieroglyph==0.7.1
pytz==2015.7
six==1.10.0
snowballstemmer==1.2.0
sphinx-rtd-theme==0.1.9
wsgiref==0.1.2