Akosiaris has submitted this change and it was merged. Change subject: Puppetmaster module multi-master capable ......................................................................
Puppetmaster module multi-master capable This commit changes the design of the puppetmaster module to allow for multi-master scenarios. The approach followed is #3 of http://docs.puppetlabs.com/guides/scaling_multiple_masters.html since it was deemed the one with the least amount of changes in agent environment as well as horizontally scalable. It constitutes of a "frontend" server acting as the Puppet CA, authenticating clients and handling the CA work. It will set the necessary HTTP headers in the request and proxy it using Apache's mod_proxy to one of N backend workers for processing. The backend servers are powered by mod_passenger albeit listening on a different port than the master (8141 vs 8140) The changes are backwards compatible as well as allowing "standalone" servers running just apache with mod_passenger enabled. Extensive testing has taken place in labs. Git sync takes place using the already established infrastructure of gitpuppet user. Population of private keys on frontend needs to happen manually Change-Id: Ibc3461a3394477986d9071dc3545727133742681 --- D modules/puppetmaster/files/git/post-merge M modules/puppetmaster/manifests/gitclone.pp M modules/puppetmaster/manifests/gitpuppet.pp M modules/puppetmaster/manifests/init.pp M modules/puppetmaster/manifests/passenger.pp M modules/puppetmaster/templates/20-master.conf.erb R modules/puppetmaster/templates/ports.conf.erb A modules/puppetmaster/templates/post-merge.erb M modules/puppetmaster/templates/puppetmaster.erb 9 files changed, 93 insertions(+), 24 deletions(-) Approvals: Akosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/puppetmaster/files/git/post-merge b/modules/puppetmaster/files/git/post-merge deleted file mode 100644 index 40a8915..0000000 --- a/modules/puppetmaster/files/git/post-merge +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -PATH=/usr/bin:/bin -export PATH - -if [ "$USER" = "gitpuppet" ]; then - # Add an apache reload, since puppet is stupid and will botch - # catalogues in a way that does not show up on the clients and causes - # an insane amount of confusion. A reload makes it regenerate them properly. - #/etc/init.d/apache2 reload - - # This bug has allegedly been fixed, so let's try with touch site.pp again - touch /etc/puppet/manifests/site.pp - - if [ `hostname` = 'sockpuppet' ]; then - # If no key is forwarded then this will use the ready-made equivalent command - # on stafford and ignore our command. - ssh -t -t stafford.pmtpa.wmnet 'cd /var/lib/git/operations/puppet && git pull && git submodule update --init' - fi -fi diff --git a/modules/puppetmaster/manifests/gitclone.pp b/modules/puppetmaster/manifests/gitclone.pp index a38937e..e612839 100644 --- a/modules/puppetmaster/manifests/gitclone.pp +++ b/modules/puppetmaster/manifests/gitclone.pp @@ -24,7 +24,7 @@ "${puppetmaster::gitdir}/operations/puppet/.git/hooks/post-merge": require => Git::Clone['operations/puppet'], owner => 'gitpuppet', - source => 'puppet:///modules/puppetmaster/git/post-merge', + content => template('puppetmaster/post-merge.erb'), mode => '0550'; "${puppetmaster::gitdir}/operations/puppet/.git/hooks/pre-commit": require => Git::Clone['operations/puppet'], diff --git a/modules/puppetmaster/manifests/gitpuppet.pp b/modules/puppetmaster/manifests/gitpuppet.pp index a9d7908..e6ee2a8 100644 --- a/modules/puppetmaster/manifests/gitpuppet.pp +++ b/modules/puppetmaster/manifests/gitpuppet.pp @@ -1,4 +1,4 @@ -# Service user to handle the post-merge hook on sockpuppet +# Service user to handle the post-merge hook on master class puppetmaster::gitpuppet { user { 'gitpuppet': ensure => present, diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index 1d8e6a9..850727b 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -22,6 +22,8 @@ $verify_client='optional', $allow_from=[], $deny_from=[], + $server_type='standalone', + $workers=undef, $config={}) { system::role { 'puppetmaster': description => 'Puppetmaster' } @@ -45,6 +47,12 @@ ensure => latest; } + if $server_type == 'frontend' { + apache_module { 'proxy': name => 'proxy' } + apache_module { 'proxy_http': name => 'proxy_http' } + apache_module { 'proxy_balancer': name => 'proxy_balancer' } + } + include backup::host backup::set { 'var-lib-puppet-ssl': } diff --git a/modules/puppetmaster/manifests/passenger.pp b/modules/puppetmaster/manifests/passenger.pp index 34cff0d..0898534 100644 --- a/modules/puppetmaster/manifests/passenger.pp +++ b/modules/puppetmaster/manifests/passenger.pp @@ -36,7 +36,7 @@ owner => 'root', group => 'root', mode => '0444', - source => 'puppet:///modules/puppetmaster/ports.conf'; + content => template('puppetmaster/ports.conf.erb'); } apache_module { 'passenger': diff --git a/modules/puppetmaster/templates/20-master.conf.erb b/modules/puppetmaster/templates/20-master.conf.erb index 8fabe8f..7df44b9 100644 --- a/modules/puppetmaster/templates/20-master.conf.erb +++ b/modules/puppetmaster/templates/20-master.conf.erb @@ -12,7 +12,9 @@ # SSL ssldir = /var/lib/puppet/server/ssl/ +<% if @server_type == 'standalone' -%> ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY +<%- end -%> hostcert = /var/lib/puppet/server/ssl/certs/<%= fqdn %>.pem hostprivkey = /var/lib/puppet/server/ssl/private_keys/<%= fqdn %>.pem diff --git a/modules/puppetmaster/files/ports.conf b/modules/puppetmaster/templates/ports.conf.erb similarity index 88% rename from modules/puppetmaster/files/ports.conf rename to modules/puppetmaster/templates/ports.conf.erb index d8e30f0..80040a0 100644 --- a/modules/puppetmaster/files/ports.conf +++ b/modules/puppetmaster/templates/ports.conf.erb @@ -8,6 +8,10 @@ NameVirtualHost *:80 Listen 80 +<% if @server_type == 'backend' or @server_type == 'frontend' -%> +Listen 8141 +<% end -%> + <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl diff --git a/modules/puppetmaster/templates/post-merge.erb b/modules/puppetmaster/templates/post-merge.erb new file mode 100644 index 0000000..6a76908 --- /dev/null +++ b/modules/puppetmaster/templates/post-merge.erb @@ -0,0 +1,20 @@ +#!/bin/sh + +PATH=/usr/bin:/bin +export PATH + +if [ "$USER" = "gitpuppet" ]; then + touch /etc/puppet/manifests/site.pp + + <%- if @server_type == 'frontend' -%> + # If no key is forwarded then this will use the ready-made equivalent command + # on worker and ignore our command. + <%- @workers.each do |worker| -%> + <%- if worker == @fqdn then next end -%> + ssh -t -t <%= worker -%> 'cd /var/lib/git/operations/puppet && git pull && git submodule update --init' + <%- end -%> + <%- elsif @hostname == 'sockpuppet.pmtpa.wmnet' -%> + # TODO: After migration delete the sockpuppet references + ssh -t -t stafford.pmtpa.wmnet 'cd /var/lib/git/operations/puppet && git pull && git submodule update --init' + <%- end -%> +fi diff --git a/modules/puppetmaster/templates/puppetmaster.erb b/modules/puppetmaster/templates/puppetmaster.erb index 13313bf..981343b 100644 --- a/modules/puppetmaster/templates/puppetmaster.erb +++ b/modules/puppetmaster/templates/puppetmaster.erb @@ -10,6 +10,7 @@ RackAutoDetect Off RailsAutoDetect Off +<%- if @server_type == 'frontend' or @server_type == 'standalone' -%> <VirtualHost <%= scope.lookupvar('puppetmaster::passenger::bind_address') %>:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 @@ -26,6 +27,60 @@ SSLVerifyDepth 1 SSLOptions +StdEnvVars + <%- if @server_type == 'frontend' -%> + # These request headers are used to pass the client certificate + # authentication information on to the puppet master process + RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e + RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e + RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e + + SSLProxyEngine on + ProxyPassMatch ^/([^/]+/certificate.*)$ https://<%= @fqdn %>:8141 + ProxyPass / balancer://mycluster/ + <Proxy balancer://mycluster> + <%- @workers.each do |worker| -%> + BalancerMember https://<%= worker %>:8141 + <%- end -%> + Order allow,deny + Allow from all + </Proxy> + <%- else -%> + RackBaseURI / + + <Location /> + Order Allow,Deny +<% scope.lookupvar('puppetmaster::passenger::allow_from').each do |entry| -%> + Allow from <%= entry.gsub(/^\*/, "") %> +<% end -%> +<% scope.lookupvar('puppetmaster::passenger::deny_from').each do |entry| -%> + Deny from <%= entry.gsub(/^\*/, "") %> +<% end -%> + </Location> + + DocumentRoot /usr/share/puppet/rack/puppetmasterd/public + <Directory /usr/share/puppet/rack/puppetmasterd/> + Options None + AllowOverride None + Order allow,deny + allow from all + </Directory> + + LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %O %D \"%{Referer}i\" \"%{User-Agent}i\"" puppetmaster + CustomLog /var/log/apache2/access.log puppetmaster + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- if @server_type == 'frontend' or @server_type == 'backend' -%> +<VirtualHost <%= scope.lookupvar('puppetmaster::passenger::bind_address') %>:8141> + SSLEngine on + SSLProtocol -ALL +SSLv3 +TLSv1 + SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP + + SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem + SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem + SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem + SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem RackBaseURI / <Location /> @@ -49,4 +104,4 @@ LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %O %D \"%{Referer}i\" \"%{User-Agent}i\"" puppetmaster CustomLog /var/log/apache2/access.log puppetmaster </VirtualHost> - +<%- end -%> -- To view, visit https://gerrit.wikimedia.org/r/93061 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibc3461a3394477986d9071dc3545727133742681 Gerrit-PatchSet: 6 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Akosiaris <[email protected]> Gerrit-Reviewer: Akosiaris <[email protected]> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
