|
Size: 1844
Comment: more puppet
|
Size: 3206
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| * Volume mounted in /vicepa * added /opt/puppetlabs/bin/ to root $PATH in .bashrc, should be done in /etc/profile.d/ |
|
| Line 13: | Line 11: |
| * set `search hcoop.net` in `/etc/resolv.conf` manually | |
| Line 15: | Line 12: |
| * manually installed libnss-afs | |
| Line 19: | Line 17: |
| * looks like it might just be https://help.ubuntu.com/community/CloudInit which would make it acceptable to keep in place | |
| Line 28: | Line 27: |
| Puppet git structure (different repos for each): /etc/puppetlabs/puppet, /etc/puppetlabs/code/environments/production, /etc/puppetlabs/modules. Subject to change. | Puppet git structure (different repos for each): /etc/puppetlabs/puppet, /etc/puppetlabs/code/environments/production (excludes modules), /etc/puppetlabs/code/environments/production/modules/hcoop, /etc/puppetlabs/code/environments/production/modules/hcoop_private. Subject to change. Git repos structure and tracking of installed modules will be revisited once we need to set up multiple environments. For now, `/etc/puppetlabs/code/environments/production/modules/hcoop` is where all of our code aside from node definitions lives. `/etc/puppetlabs/code/environments/production/modules/hcoop_private` is for private data (krb5 host keys, ssl keys, etc.) that needs to be managed by Puppet. Ideally we would use something like [[https://www.eyrie.org/~eagle/software/wallet/|wallet]] for this instead. hcoop_private contains only virtual references to files tagged appropriately so they can be realized on individual servers. |
| Line 31: | Line 32: |
| Line 50: | Line 52: |
| * stm-resolv_conf * ccin2p3-mit_krb5 * stm-debconf * saz-sudo * herculesteam-augeasproviders_pam * herculesteam-augeasproviders_core * saz-timezone |
|
| Line 56: | Line 65: |
| * Must pass puppet-lint (enforce using git hook) | * Should pass puppet-lint (enforce using git hook) / rspect https://puppet.com/docs/puppet/5.5/style_guide.html * Inheritance is discouraged? Avoiding it for now * Files controlled by puppet have comment "This file is managed by Puppet. DO NOT EDIT." somewhere near the top * Some structure to firewall rule numbers * Under 100 for core system things that need to go near the beginning * Over 900 for core system things that need to go near the end (e.g. jumping to fwtool output chains) |
gibran.hcoop.net is virtual machine at digital ocean that will become our primary afs server
It is named after the author Kahlil Gibran
1. Setup Notes
Or: things that need to go into Puppet
removed joe (or at least update-alternatives editor to either vim or emacs...)
- set domain name to hcoop.net manually
- root has basic emacs config for puppet-mode and melpa (probably no need to formalize that...)
- manually installed libnss-afs
1.1. todo
- default "cloud-config" system may be active, check license and remove if it is non-free
looks like it might just be https://help.ubuntu.com/community/CloudInit which would make it acceptable to keep in place
2. Puppet
2.1. puppetserver
Installed https://apt.puppetlabs.com/puppet5-release-stretch.deb manually
- Packages: puppetserver, puppet-agent
- added /opt/puppetlabs/bin/ to root $PATH in .bashrc
Puppet git structure (different repos for each): /etc/puppetlabs/puppet, /etc/puppetlabs/code/environments/production (excludes modules), /etc/puppetlabs/code/environments/production/modules/hcoop, /etc/puppetlabs/code/environments/production/modules/hcoop_private. Subject to change.
Git repos structure and tracking of installed modules will be revisited once we need to set up multiple environments. For now, /etc/puppetlabs/code/environments/production/modules/hcoop is where all of our code aside from node definitions lives. /etc/puppetlabs/code/environments/production/modules/hcoop_private is for private data (krb5 host keys, ssl keys, etc.) that needs to be managed by Puppet. Ideally we would use something like wallet for this instead. hcoop_private contains only virtual references to files tagged appropriately so they can be realized on individual servers.
Puppet module structure:
- hcoop
- server
- $server (e.g. gibran)
- service
- openafs-client
- server
2.2. puppetdb
install guide is weird
- puppet resource package puppetdb ensure=latest puppet resource package puppetdb-termini ensure=latest puppet module install puppetlabs-puppetdb
2.3. installed modules
- puppetlabs-firewall
- puppetlabs-puppetdb
- alexharvey-firewall_multi (says incompatible, but works... enough).
- stm-resolv_conf
- ccin2p3-mit_krb5
- stm-debconf
- saz-sudo
- herculesteam-augeasproviders_pam
- herculesteam-augeasproviders_core
- saz-timezone
2.4. style guide
Ideas for keeping consistency among admins
- Use firewall_multi for all rules unless it really is ipv4 or ipv6 only, provider is set in defaults and will keep ipv4 and ipv6 firewall in sync
Should pass puppet-lint (enforce using git hook) / rspect https://puppet.com/docs/puppet/5.5/style_guide.html
- Inheritance is discouraged? Avoiding it for now
- Files controlled by puppet have comment "This file is managed by Puppet. DO NOT EDIT." somewhere near the top
- Some structure to firewall rule numbers
- Under 100 for core system things that need to go near the beginning
- Over 900 for core system things that need to go near the end (e.g. jumping to fwtool output chains)